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Preface 



AMAST’s goal is to advance awareness of algebraic and logical methodology as part 
of the fundamental basis of software technology. Ten years and seven conferences 
after the start of the AMAST movement, I believe we are attaining this. The 
movement has propagated throughout the world, assembling many enthusiastic 
specialists who have participated not only in the conferences, which are now annual, 
but also in the innumerable other activities that AMAST promotes and supports. 

We are now facing the Seventh International Conference on Algebraic 
Methodology and Software Technology (AMAST’98). The previous meetings were 
held in Iowa City, USA (1989 and 1991), in Enschede, The Netherlands (1993), in 
Montreal, Canada (1995), in Munich, Germany (1996), and in Sydney, Australia 
(1997). This time it is Brazil’s turn, in a very special part of this colorful country - 
Amazonia. 

Thus, “if we have done more it is by standing on the shoulders of giants.’’ The 
effort started by Teodor Rus, Arthur Fleck, and William A. Kirk at AMAST’ 89 was 
consolidated in AMAST'91 by Teodor Rus, Maurice Nivat, Charles Rattray, and 
Giuseppe Scollo. Then came modular construction of the building, wonderfully 
carried out by Giuseppe Scollo, Vangalur Alagar, Martin Wirsing, and Michael 
Johnson, as Program Chairs of the AMAST conferences held between 1993 and 1997. 
Beside the conferences, a number of AMAST Workshops have been held around the 
world; four on real-time systems, organized by Teodor Rus, by Didier Begay, by 
Aurel Cornel, and by Miguel Bertran; one on topology completion in semantics 
organized by Maurice Nivat, Paul Gastin, and Jan Rutten; and one on algebraic 
processing of programming languages, organized by Anton Nijholt, Maurice Nivat, 
and Giuseppe Scollo. The fifth workshop on real-time systems will be held in 1999, 
organized by Joost-Pieter Katoen at the University of Erlangen, Germany. The mortar 
for this huge structure was provided by the inspiring tutelage of our General Chair, 
Maurice Nivat, and the vision of the AMAST Steering Committee constituted by 
Egidio Astesiano, Robert Berwick, Zohar Manna, Michael Mislove, Anton Nijholt, 
Maurice Nivat, Jacques Printz, Charles Rattray, Teodor Rus, Giuseppe Scollo, John 
Staples, Jeannette Wing, and Martin Wirsing. 

For AMAST’98, in response to the call for papers, 80 papers and three system 
demonstrations were submitted. After a strict selection process, 29 papers were 
chosen for presentation. These, along with the extended abstracts of six invited papers 
and succinct descriptions of the demonstrations, make up these proceedings. 

The number of papers accepted by no means indicates the full scope of papers with 
the necessary quality for presentation and publication. It reflects only the time 
restrictions imposed by a four-day conference. 

The publication of a special number of Theoretical Computer Science (TCS) with 
revised versions of the best papers is a tradition of the AMAST conferences. As 
Martin Wirsing stated in the preface to the AMAST’ 96 proceedings, “An eventual 
goal is to establish algebraic and logical methodology as a practically viable and 
attractive alternative to the prevailing ad hoc approaches to software engineering.” In 
AMAST’ 97 this trend was obvious, and we had a handful of very good papers on 
software engineering applications. Thus, it has been decided that this time two special 
issues will be published, one in TCS with the best theoretically oriented papers, and 
another in Software Architecture (the journal heir to Science of Computing 
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Programming) with the best application oriented papers. The full versions of the 
invited papers will also appear in these special issues. 

The six distinguished invited speakers of AMAST’98 are Zhou Chaochen, Thomas 
Maibaum, Zohar Manna, Don Pigozzi, Glynn Winskel, and Pamela Zave. 

As in the previous years, the first day of AMAST’98 will be an Education Day, 
this time coordinated by Carlos Camarao de Figueiredo. Formal methods training 
experiences will be presented and discussed. 

On behalf of the Program Committee, my thanks to all who submitted papers and 
system demonstrations, and to the invited speakers for their contributions. We also 
extend very special thanks to the referees for sharing with us the difficult task of 
reviewing the set of very good papers received, and giving us assistance in choosing 
those that should be accepted. 

Our gratitude goes to Springer- Verlag for their invaluable cooperation, as always, 
regarding the edition and publication of these proceedings. 

A very special acknowledgement must be made to Edjard de Souza Motta and the 
Departamento de Ciencia da Computagao of Universidade do Amazonas, whose 
enthusiastic collaboration greatly facilitated the innumerable local organization tasks. 

The support of CNPq - Conselho Nacional de Desenvolvimento Cientifico e 
Tecnoldgico, of FINEP - Financiadora de Estudos e Projetos, and of UNU/IIST - 
International Institute for Software Technology of the United Nations University, is 
gratefully acknowledged. 

I give personal thanks to the Program Committee for their intense labor during the 
organization and reviewing process, to Jose Meseguer for allowing us the use of SRI 
International facilities for the Program Committee Meeting, and to Jose Fiadeiro for 
splendidly organizing the meeting. I would also like to thank Marcelo Frias for his 
work during the first stretch of the organization job. 

I have a very special debt of gratitude, to add to an endless dept that I shall never 
be able to pay off, to my collaborators at the Laboratory of Formal Methods: first, to 
our Marcia Ferreira, formally Chair of AMAST’98 Organizing Committee, but 
actually organize-and-do-everything-that’s-needed; then to Christiano Braga, Daniela 
Cardoso, Andre Carregal, Cassio Gondim, Fernanda Mesquita, Claudio Terra Prates, 
and all the others who pitched in when necessary. 
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Duration Calculus, a Logical Approach to 
Real-Time Systems 



Zhou Chaochen 
United Nations University 

International Institute for Software Technology (UNU/IIST), Macau 
zccSiist .unu.edu, http : //www. list .unu.edu 



Abstract. The Duration Calculus (DC) represents a logical approach 
to formal design of real-time systems. DC is based on interval logic, and 
uses real numbers to model time, and Boolean- valued (i.e. 0,1-valued) 
functions over time to model states of real-time systems. The duration 
of a state in a time interval is the accumulated presence time of the state 
in the interval. DC extends interval logic with a calculus to specify and 
reason about properties of state durations. The first paper of DC was 
published in 1991, and dozens of papers of DC have been published since 
then, which cover developments of logical calculi, their applications and 
mechanical support tools. This paper will give a brief introduction to 
DC and also an overview of the research of DC. 



Extended Abstract 



1 Real-Time Systems 

Let us consider the following two cases of real-time systems. 



Deadline Driven Scheduler 



The scheduler serves a finite number of processes, say pi,p 2 , which share 

a single processor. Each process periodically requests a constant amount of pro- 
cessor time. It is assumed that in every Ti time units pi raises a request to occupy 
the processor for Ci time units, where (Ci < Ti). 

A requirement for the scheduler is to fulfil all real-time requests of the pro- 
cesses. The deadline driven scheduling algorithm is proposed in [2]. It satisfies 
the requirement under assumptions that the scheduler overhead is negligible and 



m „ 

V — < 1. 

T- ~ 



In this algorithm, the expiration time of a request is called the deadline of the 
request. The algorithm dynamically assigns the highest priority to processes with 
the nearest deadline. At any instant, only one of the processes with the highest 
priority and yet unfulfilled request will be selected to preempt the processor. 



A.M. Haeberer (Ed.): AMAST’98, LNCS 1548, pp. 1-7, 1998. 
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Gas Burner 

This example is first investigated by [6] . Usually, no gas is leaking in a gas burner. 
However, when a flame failure appears, gas will be leaking. A design of a safe 
gas burner must assure that the leaking time does not get too long. 

Let us assume that the ventilation requested for normal combustion would 
prevent dangerous accumulation of gas, provided that the proportion of leak 
time is not more than one twentieth of the elapsed time for any time interval 
being at least one minute long. This is a real-time requirement for a safe gas 
burner. 

Turning next to the task of design, certain decisions must be taken about 
how the real-time requirement is to be met. For example, for any period where 
the requirement is guaranteed, any leak in this period should be detectable and 
stoppable within one second; and to prevent frequent leaks it is acceptable that 
after any leak in this period the gas burner rejects switching on gas for thirty 
seconds. The conjunction of these two decisions implies the original requirement, 
a fact which should be proved before implementation proceeds. 

Both the deadline driven scheduler and the gas burner are real-time systems, 
although the first one is a software system, and the second is a hybrid system. 

Duration Calculus (abbreviated DC) is a logical approach to designing real- 
time systems. DC uses real numbers to model time, and functions from time to 
Boolean values (or real values) to model behaviour of real-time systems. Based 
on interval logic, DC establishes a formal notation to specify properties of real- 
time systems and a calculus to formally prove those properties. 

1.1 State Models 

DC starts with Boolean states to model behaviour of real-time systems. A Boolean 
state model of a real-time system is a set of Boolean-valued (i.e. {0, l}-valued) 
functions over time: Time ^ {0, 1}, where Time is the set of real numbers. 
Each Boolean-valued function is a characteristic function of a specific aspect of 
the system behaviour. 

In order to prove the correctness of the deadline driven scheduler, we intro- 
duce 2m states to model the behaviour of the scheduler [8]. They are 

Ruui : Time ^ {Oj 1}) z=l,2,...,m 

Stdi : Time ^ {Oj I}? z=l,2,...,m 

Ruui(t) = 1 iff Pi is running in the processor at time t. Stdi(t) = 1 iff at time 
t the current request of pi is still standing. Namely, the current request of pi is 
yet to be fulfilled at time t. 

To verify the design decisions of the gas burner against the requirement, one 
may start with a single Boolean state to model the critical aspect of the system: 

Leak : Time ^ {0, 1} 
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where Leak(i) = 1 iff gas is leaking at time t. However at a later stage of the 
design one may have to introduce more primitive Boolean states such as Gas 
and Flame to characterize flowing and burning of gas [5]. Then Leak can be 
pointwise defined as Boolean expression of Gas and Flame: for any t (c Time) 

Leak(t) = Gas(t) A ^Flame(t) 

Boolean operators (e.g. ^ and A) for states are therefore included in DG. 

1.2 State Durations 

DG uses state durations as essential measurements of behaviour of real-time 
systems. A duration of a Boolean state over a time interval is the accumulated 
presence time of the state in the interval. Let S' be a Boolean state (i.e. S : 
Time — > {0,1}), and [b, e] an interval. The duration of state S over [b, e] equals 

f,S(t)dt. 

The real-time requirement of the deadline driven scheduler can be expressed 
in terms of durations of Run^. Let us assume that all the processes raise their 
first request at time 0. Thus, the nth request of pi is raised at time (n — l)Ti 
and is expired at time nTi. Therefore the scheduler fulfils the nth request of pi, 
iff the accumulated run time of pi in the interval [(n — l)Ti,nTi] equals to the 
requested time Q. Namely, 

The real-time requirement of the gas burner can be expressed in terms of the 
durations of Leak: for any interval [6, e] 

(e — 6) > 60 sec. 20j^Leak{t)dt < {e — b) 

A mathematical formulation of these two requirements can hardly leave out 
state durations. Since the processor may be preempted dynamically, the dura- 
tion of Runi has to be used to extract the accumulated running time of pi, and 
since gas leaks due to random flame failures, the duration of leak has to be used 
to extract the accumulated leak time of gas. 

Distance between states is another important measurement of real-time sys- 
tems. However state distances can be expressed in terms of state durations. With 
state durations one can first express a lasting period of a state. Let us assume 
that a presence of state S lasts for a period of [c, d] {d> c). It can be expressed 
as that the duration of S in [c, d\ is equal to the length of [c, d\ : 

fl.S{t) = (d — c) > 0, (abbreviated S'[c, d]) 

if we do not care of instant absence of S. Thus, constraints on lasting periods 
of states can be expressed in terms of state durations. Gonsider the first design 
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decision of the gas burner. Let [b,e] be the guarantee period of the gas burner. 
The first design decision that any leak in [b, e] should not last for longer than 
one second can be expressed as 

yc,d ■. b < c < d < e.(Leak[c, d\ {d — c) < 1 sec.) 

Constraints on state distances can be expressed in terms of state durations sim- 
ilarly. Consider the second design decision of the gas burner. The second design 
decision can be stated as that the distance between any two consecutive leaks 
in the guaranteed period [b, e] must be at least thirty seconds long: 

Wc,d : b < c < d < f < g < e. 

(Leak[c, d] A NonLeak[d, /] A Leak[/, g]) (/ — d) > 30 sec. 

where NonLeak = ^Leak(t). 

State durations as integrals of Boolean-valued functions are functions from 
time intervals to real numbers. DC axiomatizes state durations based on the 
interval logic proposed in [7], which is a logic for functions of time intervals. 

2 Interval Logic 

2.1 Interval Variables 

In the interval logic, functions of intervals are called interval variables. Let 

Intv = { [b, e] I (6, e e Time) A (6 < e) }, 

and let R be the set of real numbers and Vi {i = 1, 2, 3, 4) be interval variables: 

Vi : Intv ^ R for i = 1, 2, 3, 4. 

A formula of Vi such as vi < (v 2 + vs ■ V 4 ) is interpreted in the interval logic as 
a function from Intv to the truth values {tt,ff}: Intv ^ {tt,ff}. 

Therefore the interval logic provides a functional calculus, which specify and 
reason about properties of functions of intervals in a way such that the arguments 
of the functions (i.e. the intervals) are not referred explicitly. 

Interval length is a special interval variable denoted £. 

i : Intv — ^ R 

The duration of a state S can be regarded as another example of interval 
variable, which is written as JS 

JS : Intv ^ R 

For arbitrarily given interval [6, e] , the value of the interval variable JS is the 
duration of S in [6, e] , namely the value of 

f,S(t)dt. 
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Hence state durations can be introduced into the interval logic as interval vari- 
ables with specific meaning. The requirement of the gas burner can be expressed 
in an interval logic of state duration JTeak as 

Req 

^ > 60 ^ 20 /Leak < L 

2.2 Interval Modalities 

Interval logic uses modalities to define structures (called reachabilities) among 
intervals, such as one interval is a subinterval of another interval, or an interval 
is made of two adjacent subintervals. 

Subinterval Modality O: 

For any formula (j>, 0(j) is a new formula which holds for an interval iff (j) 
holds for a subinterval of it. Thus, with O, from an interval one can reach 
its subintervals. 

The dual of O is □: □(/) = ~'0^(j>. Hence, [b, e] satisfies 0(j>, iff any subinterval 
of [b, e] satisfies (p. 

With □ one can formulate in an interval logic of state durations the first 
design decision of the gas burner. First the mathematical definition of S'[c, d] 
can be transformed into a formula without explicit intervals: 

{JS = t) A (^ > 0) (abbreviated [S']) 

Then the following is a formulation of the first design decision 

Des-1 

□ ([Leak] ^ (-^ < !))• 

Chop Modality 

For formulas (p and ip, an interval satisfies the new formula <p'~'ip iff the 
interval can be chopped into two adjacent subintervals such that the first 
subinterval satisfies <p and the second one satisfies ip. 

With and □, one can formulate the second design decisions of the gas 
burner. A simplified formulation of the second design decision is 

Des-2 

□ (( [Leak] '^[^Leak] '"[Leak]) (^ > 30)) 

To prove the correctness of the two design decisions is therefore to prove the 
validity of the formula 

(Des-1 A Des-2) ^ Req 

In fact the subinterval modality O can be derived from the chop modality 
since 

0(p true'"(()'Wrue 
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A modality is called contracting, if the modality only provides access to inside 
parts of a given interval. O and are two examples of contracting modalities. 
With the contracting modalities, we have formulated safety properties for real- 
time systems. However contracting modalities cannot specify unbounded liveness 
and fairness properties of computing systems. Thus, modalities which provide 
accesses to outside of a given interval are also necessary. They are called expand- 
ing modalities. In the literature, there are twelve unary modalities and three 
binary modalities to define various contracting and expanding interval reach- 
abilities. In [10], it is proved that all fifteen modalities of interval logic can be 
derived from two simple modalities {left and right neighbourhoods) in a first order 
logic with interval length i. 

3 Duration Calculus 

The research on DC was initiated by the case study [6] in connection with the 
ProCoS project (ESPRIT BRA 3104 and 7071). Two main observations of this 
case study were that the notion of time interval was useful and that the notion of 
state duration was necessary. This led to the first publication of DC [11] in 1991. 
In [11] a relatively complete proof system for state durations was established, 
which included the following axioms: 

DCAl /0 = 0 
DCA2 ji=e 
DCA3 JS>0 

DCA4 JSi + fS2 = f(Si V S 2 ) + f(Si A ^2) 

DCA5 ((fS = x)'~'{JS = y)) ^ {JS = x + y) 

DCA6 JSi = JS 2 , provided Si S 2 holds in propositional logic 

Dozens of papers of DC have been published since 1991. They include 

1 . the formal calculi for state durations in different models of real-time systems, 
covering Boolean state, event [12,9], real state [13], dependability [3], finite 
divergence [1], super dense computation [9,4], etc. 

2. applications of DC, such as case studies of auto pilot, railway crossing, water 
level monitor, gas burner, air traffic controller, production cell, motor-load 
control, inverted pendulum, etc. and formal specification and verification of 
real-time programs and circuits, and 

3. mechanical support tools for DC, including results on completeness, decid- 
ability of subclasses and model checking algorithms and implementation of 
proof assistant and model checker 
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Abstract. We present a logic for real time systems specification which 
is an extension of first order dynamic logic by adding (a) arbitrary atomic 
actions rather than only assignments, (b) variables over actions which 
allow to specify systems partially, and (c) explicit time. The logic is 
algebraized using closure fork algebras and a representation theorem for 
this class is presented. This allows to define an equational (but infinitary) 
proof system for the algebraization. 



1 Introduction 

The motivation for this work is the need to describe industrial processes as 
part of a project for a Brazilian telecommunications company. We want to be 
able to give formal descriptions of such processes so as to be able to analyze such 
descriptions. For example, we want to be able to calculate critical paths for tasks 
in processes, throughput times of processes, etc. We also want to demonstrate 
correctness of process descriptions in relation to their specifications (where this 
is appropriate) , derive implementations of process specifications in terms of the 
available concrete apparatus in the factory, validate (using formal techniques) an 
implementation against its abstract description, and so on. Available languages 
for describing processes are unsuitable for various reasons, most having to do 
with the nature of the formalization of such processes being used in the project. 

The method used in the project for describing processes {the method) is based 
on the ideas presented in El- This method sees the world as being modeled in 
terms of two (and only two) kinds of entities: products and processes. A product 
is a description of an entity in the real world (a referent) in terms of measurable 
attributes. (Here, we use measure and measurable in the traditional sense of sci- 
ence and engineering. See Hums].) A product instance is characterized by the 

* The third author would like to thank the EPSRC(UK), CNPq(Brasil), Imperial 
College, LMF-DI/PUC-RJ and The Royal Academy of Engineering for their financial 
support during the conduct of this research. 
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values (measures) associated with its attributes (and, implicitly, by the theory 
of the product, i.e., the defined relationships between the potential measured 
values of its attributes). Hence, such a product instance may be seen as a model, 
in the sense of logic, of the product. We may see products as being characterized 
by data types in first order logic, for example. 

The distinguishing characteristic of products is that they exist ‘indepen- 
dently’ at an instant in time, where time is used here in its normal scientific 
sense. (Independence here means that a product is defined without recourse 
to any other referent or only in terms of other (sub)products. Products of the 
former kind are called atomic products.) In fact, all products have a time at- 
tribute whose value in a product instance indicates the time instant at which the 
values of the attributes were (co)determined, presumably by some appropriate 
measurement procedures. On the other hand, processes are distinguished enti- 
ties which do not exist at a time instant, but which have time duration. Further, 
processes are not independently definable, but are defined in terms of their input 
and output products. 

Processes also model entities of the real world and again are defined in terms 
of attributes. The method imposes a very restrictive notion of process, namely 
one in which all processes have a single input and a single output. (The rea- 
sons for this restriction need not detain us here, except to say that they are 
methodologically very well motivated. The restriction clearly will have a pro- 
found influence on the nature of the language we define below.) Distinguished 
attributes of a process include the transfer function(s) ‘computed’ by the pro- 
cess (i.e., how the input product is transformed into the output product), upper 
and lower bounds on the time taken for the process to execute, a flag indicat- 
ing whether the process is ‘enabled’, and so on. The transfer function may be 
described in terms of an underlying state machine used to organize phases of 
the process being defined and to ‘sense’ important external state information re- 
quired to control the execution of the process. Like products, processes may be 
defined in terms of ‘sub-processes’ and we now turn to this language of processes, 
as its formalization is the subject matter of the paper. 

We will use an analogy with conventional sequential programming languages 
to motivate the nature of the formalization. Consider such a programming lan- 
guage. The programs in the language are constructed from basic commands 
(usually just assignment) and various control structures. The programming lan- 
guage data types are used to model the inputs and outputs of programs. Let us 
focus on a program that exhibits simple input/output behavior. We realize this 
behavior by executing the program on some machine (a real machine for a low 
level language and an ‘abstract’ machine for a high level language). Hence, we can 
see an analogy between inputs/outputs and products and between programs and 
processes. Both programs and processes are intended to model entities that de- 
fine families of executions on the machine used to execute the program/process. 
This is exactly how we want to understand processes, i.e., as defining a class of 
potential executions over some (abstract) machine. 
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The following questions must be answered, amongst others, in order to make 
the analogy more exact: What is the nature of the abstract machine over which 
processes are defined? What ‘data types’ are allowed as inputs and outputs 
of processes? What ‘control structures’ may be used? What do we mean by 
‘execution’ of a process? (Obvious further questions include: How do we specify 
required processes? What do we mean by ‘refinement’ and how do we derive 
refinements or prove their correctness?) 

As to the first of these questions, we do not envisage a single abstract machine 
which will underpin all potential processes. Rather, we assume that our abstract 
machine is provided by an object, in the sense of object oriented programming. 
Such an object has 

— a set of internal states; 

— a set of methods, with appropriate input and output parameters, that it can 
execute and which change the internal state; 

— a set of potential behaviors that it can exhibit, with the behavior being 
exhibited ‘chosen’ by the program being executed. 

So, the purpose of a process, like a program, is to ‘choose’ a particular behav- 
ior allowed by the object (our abstract machine). Of course, the object itself is 
used, in our case, to model the basic capabilities of the organization whose indus- 
trial processes are being modeled or prescribed. These basic capabilities may be 
those of machines (computers, presses, conveyor belts, etc.), or people (program- 
mers, hardware engineers, salesmen, managers, etc.), or even (sub)organizations. 
The aim of the exercise is to choose from all the potential behaviors (jointly) 
exhibitable by this abstract machine those which have the appropriate char- 
acteristics (i.e., manufacturing a product with appropriate quality and other 
characteristics and in a dependable manner). 

We should add here two important comments about our underlying ‘object’. 
Firstly, such a complex underlying object may itself be built in a structured 
manner from sub-objects by using standard object oriented structuring meth- 
ods. See for a formal account of this. Secondly, there are lacuna in object 
oriented programming methods to do with exactly what we are attempting here, 
i.e., defining a particular subclass of behaviors from those potentially exhibitable 
by the object. In object oriented programming, this problem of defining threads 
of computation over objects is usually overcome by defining a ‘system object’ 
that drives the choice of desirable behaviors. Different applications over the same 
object base then require different ‘system objects’ to choose the different behav- 
iors. 

The methods of this abstract machine represent the atomic ‘machine ex- 
ecutable’ processes from which our industrial processes will have to be built. 
Consider the example below, presented using the diagrammatic notation of the 
method. 

The two entities we have discussed, products and processes, are denoted, 
respectively, by arrows and boxes. (We use lower case letters for process names 
and upper case letters for products.) Each product is represented in terms of its 
attributes and each execution of the process will assign to each of these attributes 
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(A,P5) 




Pq , 



Fig. 1. A complex process example. 



specific values from the appropriate domains. Each process is an atomic method 
from the underlying object. There is a third kind of entity in the diagram that 
we have not yet discussed. This is the gate, which is an artifact of the method 
used basically for two purposes: i) helping to enforce the single input, single 
output regime of processes, and ii) acting as guards on processes so as to control 
the computation. For example, g\ copies the output product Pi to create single 
inputs for each of p2 and p^. The gate g2, on the other hand, is a guard which 
is intended to stop progress of P3 until, for example, p2 has terminated (or even 
forcing p^ to wait for an external event, like turning on the machine). Gate 33 
is used to create the single input to process pe from the outputs P4 and P5 of 
processes p4 and P5, respectively. Pq is simply a tuple of products synchronized 
in time. (The single input mechanism here is used to enforce a unique time 
for the process to be initiated with the required input. The method uses the 
unique initiation and termination times of processes to attain a specific notion 
of well definedness and the single input and single output regime is an aid to 
accomplishing this.) As we see, we need the following constructs in our language: 

— sequential composition of processes; 

— parallel composition of processes (with parallelism being interpreted as ‘don’t 
care’ parallelism, in the sense that it is potential parallelism of which an 
implementer may take advantage); 

— nondeterministic choice among processes; 

— guards for processes (which may be combined with copying and ‘restructur- 
ing’ of products); 

— a loop construct to allow us to define iterative processes with a guard to 
control the number of iterations. 

The language is formalized by extending first order dynamic logic with a 
parallel combinator and the ability to express real time constraints. (The only 
construct above not used in dynamic logic is the parallel combinator.) The se- 
mantics of dynamic logic uses a notion of transition system that is used to 
represent the underlying abstract machine capable of executing the atomic pro- 
cesses. The logic is extended with variables over processes so that we can specify 
abstractly the processes we are interested in building. There is a notion of re- 
finement associated with such specifications, allowing us to demonstrate that 
a process satisfies its specification. Finally, we demonstrate, using techniques 
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developed in QISI, how to algebraize this logic and thus obtain an equational 
proof system for our process formalism. In order to algebraize the logic we will 
use omega closure fork algebras (w-CFA). These algebras are extensions of rela- 
tion algebras m with three new operators, a pairing operator called fork 
a choice operator and the Kleene star. A consequence preserving function 
mapping formulas of the logic to equations in the language of w-CFA will be 
defined. We will also present a representation theorem which, together with the 
mapping, will allow to reason equationally about properties of the logic. 

The paper is organized as follows: in Section |2| we will present a first order 
formalization of objects. In Section 0 will be presented the logic we propose 
for specifying and reasoning about the properties of processes. In Section 0 we 
introduce the class of omega closure fork algebras. In Section 0 we present the 
algebraization. Finally, in Section 0 we present our conclusions about this work. 

2 Objects 

The first problem we confront when trying to formalize these concepts is that of 
characterizing the ‘abstract machine’ over which our processes will be defined. 
These processes are meant to use the underlying capabilities of the organization, 
as represented by the behaviors displayed by individual components within the 
organization. (Such individual components may be people, groups, manufactur- 
ing machines, etc.) These behaviors are organized (at least in some abstract 
sense) into a joint behavior which IS our ‘abstract machine’. In the last decade, 
we have learned to organize such behaviors in terms of concepts used in object 
oriented programming. Objects are characterized by the data structures that are 
maintained by the object (seen in terms of the different states of the object) and 
the methods (which we call actions below) that may be executed by the object 
and which may change its state. 

Hence, we will assume as given some object (which may be very complex 
and built as a system from less complex components 0), which represents the 
potential behaviors of the organization as an abstract machine. This object will 
represent the actions/methods, state variables, external events/ actions and some 
prescription of allowed behaviors from which individual processes must be built. 
(We note again the analogy between computers and programs, on the one hand, 
and the object/abstract machine and processes, on the other. Our processes 
will be used to define specific classes of behaviors in which we are interested, 
our required processes, from the very large class allowed by the object.) The 
definitions below give a somewhat non standard account of objects in terms of the 
underlying transition system defining the object’s allowed behaviors. However, 
the standard parts of such descriptions (i.e., methods, state variables, etc) are 
easily distinguishable. 

Definition 1. An object signature is a pair {A,E) in which E = (S,F,P) is 
a many-sorted first-order signature with set of sorts S, set of function symbols 
F and set of predicate symbols P. Among the sorts, we will single out one sort 
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called the time sort, denoted by T. A is a, set of action symbols. To each a € A is 
associated a pair (si, S2) G (S*)'^ called its arity. We will denote the input arity 
of a by ia{a) and the output arity of a by oa(a). 

Definition 2. Given an object signature S = {A,{S,F,P}), an object struc- 
ture for iS is a structure A = (S,A,F,P) in which S is an S'-indexed family 
of nonempty sets, where the set T is the T-th element in S. In general, the 
set corresponding to sort s will be denoted by s. A is an A-indexed family 
of binary relations satisfying the typing constraints of symbols from A, i.e., if 
ia{a) = s\ ... Sm & S* and oa{a) = s'l . . . s' n G S* , then a"^ (as we will denote 
the a-th element from A) is contained in (si x • • • x Sm) x (s'l x • • • x s'„). To 
each f : si ... Sk ^ s in F is associated a function : Si x • • • x > s G F. 
To each p of arity si . . .Sk in P is associated a relation p-^ C si x • • • x G P. 

Regarding the domain T associated to the time sort T, we will not deepen on 
the different possibilities for modeling time, but will rather choose some adequate 
(with respect to the application we have in mind) representation, as for instance 
the fields of rational or real numbers, extended with a maximum element 00. We 
will distinguish some constants, as 0, e, etc. 

3 The Logic, the Relational Variables, and the Time 

We will extend a standard notation for specifying and reasoning about programs, 
namely dynamic logic. What we want to do is define processes/programs over 
our objects which reflect the intuitive model outlined in the introduction. Dy- 
namic logic starts with basic actions and constructs programs by using certain 
combinators. The usual basic action is assignment, but we will replace this with 
the actions of the underlying object. The basic actions will be represented by 
binary relations. The input and output domains of such relations will be tuples 
of state variables or a choice of a set of state variables, thus reflecting the single 
input, single output idea of processes. The combinators are also extended with 
one to allow us to express (potential) parallelism of processes (defined via the 
intersection operator for binary relations). 

Another important aspect of processes, as we wish to define them, is the 
real-time aspect. In defining processes, we often want to reason about time: 
throughput time, critical paths, optimization of processes. This requires that we 
are able to deal with reasoning about time within the formalism. We adapt a 
real-time logic developed in which presents an extension of the logic pre- 
sented in P|. Each basic action is supplemented with a specification of lower 
and upper time bounds for occurrences of that action. These bounds may have 
various interpretations, amongst which we have the following: the lower bound is 
interpreted as the minimum time that must pass before which the action’s effects 
are committed to happen and the upper bound gives a maximum time by which 
the action’s effects are committed to happen. Specifications of processes will also 
have associated lower and upper bounds, and refinements will be expected to 
provably meet these bounds. 
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In this section we will present the Product/Process Modeling Logic (P / PML). 
Consider the formula <f{x) := [x Ax\(3{x) where A is an action term (a binary 
or n-ary relation) and the notation [xAx\(3 means that “all executions of ac- 
tion A establish the property /?” . According to our previous discussion about 
processes and products, we read (p as stating that /3 is a truth of the system 
A, then proving the truth of ip can be seen as the verification of the property 
[3 in the system described by A. Opposed to the previous view, is the notion 
of an implicit specification of a system, in which A is not a ground term, but 
rather may contain some relational variables that represent subsystems not yet 
fully determined. In what follows we will denote by RelVar the set of relational 
variables { i?. S', T, . . . }. 

Definition 3. Given an object signature S = {A,{S,F,P)), the sets of rela- 
tional terms and formulas on S are the smallest sets RT{S) and For{S) such 
that 

1. a G RT{S) for all a G A U RelVar U { lb : t G S* }. 

2. If r G RT{S) and ia{r) = oa{r), then r* G RT{S). We define ia{r*) = 
oa(r*) = ia(r). 

3. If r, s G i?T(S), ia(r') = ia(s) and oa(r') = oa(s'), then r-|-s G RT{S) 
and r-s G RT{S). We define ia{r-\-s) = ia(r-s) = ia(r) and oa(r-l-s) = 
oa(r-s) = oa(r). 

4. If r,s G RT{S) and oo(r) = ia{s), then r;s G RT{S). We define ia{r;s) = 
ia{r) and oa(r;s) = oa(s). 

5. If a G For{S) is quantifier free and has free variables xi, . . . ,Xn with Xi of 
sort Si, then a? G RT{S) and ia{a?) = oa{a?) = si . . . s„. 

6. The set of first-order atomic formulas on the signature S is contained in 
For{S). 

7. If a,/3 G For{S), then G For{S) and a V /? G For{S).. 

8. If a G For{S) and x is an individual variable of sort s, then (3a: : s) a G 
For{S). 

9. If a G For{S), t G RT{S) with ia{t) = si . . . Sm and oa{t) = s'i...s'n, 
x= xi,. . . ,Xra with Xi of sort Si, y = yi, ■ ■ ■ ,Un with yi of sort s' i and I, u 
are variables of sort T, then /x it'' y \ a G For{S). 



Definition 4. Let R G RT{S) with ia{R) = si . . .Sm and oa{R) = s'l . . . s' n, 
x= xi,...,Xm with Xi of sort Si, y= yi,...,yn with yi of sort s' i, and I, u 
variables of sort T. An expression of the form x iR" y is called a timed action 
term. 

We will assume that a lower and an upper bound are assigned to atomic 
actions, namely la G T and Ua G T for each action a G A. From the bounds of 
the atomic actions it is possible to define bounds for complex actions in a quite 
natural way. 
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Definition 5. Let S be an object signature. The functions I and u from RT{S)U 
For{S) to T are defined as follow^: 

1. If o G A, then 1(a) = la and u(o) = Ua- 

2. If R — X G RelVar, then l(X) = 0 and u(X) = oo. 

3. If i? = I’t, with t € S*, then l(R) = 0 and u(i?) = e (e being a constant of 
sort T). 

4. If i? = S*, then l(R) — 0 and u(i?) = oo. 

5. If i? = S + T, then \{R) = min { l(S'), l(T) } and u(i?) = max{ u(S'), u(T) }. 

6. If i? = S-T, then \{R) = max{ ((S'), l(T) } and u(i?) = max{ u(S'), u(T) }. 

7. If i? = S',T, then l(i?) = ((S') and u(i?) = u(S') + u(T). 

8. If i? = a? with a G For{S) quantifier free and with free variables x, l(i?) = 
1(a) and u{R) = u(a). 

9. If a = p{ti , . . . , tk), then 1(a) = Ip gT and u(a) = Up gT, with Ip < Up. 

10. If a = ->/3, then 1(a) = l(/3) and u(a) = u(/3). 

11. If a = /3op7 with op G { V, A, ^ }, then 1(a) = min { l(/3), 1(7) } and u(a) = 
max{u(/ 3 ),u( 7 )}. 

12. If a = v'j P, then 1(a) = l(i?) and u(a) = u(i?) + u(/3). 

Given a set of sorts S = { si, . . . , Sfc } and domains S = { Si, . . . , } for 

these sorts, by a valuation of the individual variables of sort Si we refer to a 
function v : IndVaVsi — > Si. A valuation of the relational variables is a function 
p : RelVar ^ V {S* x S*). 

Definition 6. Given a valuation of the individual variables n and an array of 
variables x= xi, . . . , Xn, by iy(x) we denote the tuple (ly(xi), . . . , v{xn))- 

Let A be an object structure and p a valuation of the relational variables. 
Given valuations of the individual variables v and v' and a timed action term 
X iR'^ y, by V (^x iR'^ y'j v' we denote the fact that: i^{x),v' {y)^ G 
(the denotation of the relational term R, formally defined in Def. CJ, for every 
variable z not occurring in y , ix'{z) = v{z), and, v(l) < l(i?) and v(u) > u{R). 

The semantics of formulas is now defined relative to valuations of individ- 
ual variables and relational variables. In the following definition, the notation 
A \=p/pml Q^[H[m]j is to be read “T/ie formula a is satisfied in the object struc- 
ture A by the valuations v and p” . 

Definition 7. Let us have an object signature S = {A,{S,F,P)) and an object 
structure A — (S,A,F,P). Let v he a, valuation of individual variables and y, 
a valuation of relational variables. Then: 

1. If a G A then ajf is the element with index a in A. 

2. If i? G RelVar, then R-^ — y{R). 

3. If i? = I’t with t = Si . . . Sk, Rp = { {{ai , . . . , Ofc) , (ai, . . . , Ofe)) : Oi G s* }. 

^ We will only consider quantifier-free formulas, since these are the ones used for 
building actions of the form a?. 
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4. If i? = S*, with S G RT{S), then R-^ is the reflexive-transitive closure of 
the binary relation 

5. If i? = S + T, with S,Tg RT{S), then R-^ = U T^. 

6. If i? = S-T, with S,T G RT{S), then R-^ = n T^. 

7. If i? = 5';T, with S,T G RT{S), then is the composition of the binary 
relations S-^ and 

8. If i? = a? with a G For{S) quantifier free and with free variables x = 
xi,...,Xn, then = | (v(x),v(x)'j : A \=p/pml a[v][n] 

9. If with pG P, A \=p/pml if (fiif , • ■ • , ) e P^- 

10. If = -na, then A \=p/pml pMIp] if ^p/pml a[p][p]. 

11. E (fi = a\/ /3, A \=p/pml pMIp] if A \=p/pml or A \=p/pml /?HN- 

12. li p = (3a; : s)a, then A \=p/pml if there exists a G s such that 

A \=p/pML (p“, as usual, denotes the valuation that agrees with v 

in all variables but x, and satisfies v'^{x) = o). 

13. li p = l^x iR'^ a, then A \=p/pml if there exists a valuation v' 

such that V (^x iR'^ v' and A \=p/pml 

Example 1. The example shows how the real-time features of the specification 
language {P / PML) play a decisive role in the election of the implementations 
of processes. A manufacturer of candy vending machines wants to manufacture 
machines with the following characteristics. If the machine has candy, then, after 
money has been deposited, at most a time Ki passes before candy is delivered. 
If the machine is empty, then at most a time K 2 can pass before the transaction 
is finished. If the machine can be fully replenished in time to meet the K 2 upper 
bound, then it should be replenished, otherwise, the money should be given back. 

Let us model the part of the behavior of the machine after money has been 
introduced and until candy has been delivered or the money was given baclo 

Vm, I, u, X ($_m?(m) = t A a; = ^candy{m) > 0 A m > Ki Al — 0 

^ [mi FM“m] {#candy(m) = x — 1 A delivered! [m) = t)) 

Vm, L u {$Jn?{m) = t A #candy{m) = 0 Au>K2AI — 0 
^ [mi VM'^m[ (^candyim) = maxjeandy — 1 A delivered! (m) = t)) 

Vm, I, u {$Jn!{m) = t A #candy{m) = Q Au < K 2 Al = Q 
^ [m; VM'^m[ {delivered! (m) = f A money Jback!{m) = t)) 

If the manufacturer believes that a consumer can wait for candy 3 minutes 
without loosing his patience, then K 2 can be set to 3 minutes in the specification. 

^ Given an object m of the class “vending machine" , the method $Jn? tests if money 
has been deposited. Method ^candj/ retrieves the amount of candy left in the ma- 
chine. The method delivered! tests if candy has been delivered, and money Jback! 
tests if the money has been returned to the customer. The constant maxjzandy 
stands for the maximum amount of candy the machine can contain. A formal speci- 
fication of the class is not given by lack of space. 
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Let us assume that as a constraint, this part of the machine must be built 
using some of the following processes: 

— RETURN PRODUCT (that returns candy provided the machine is not 
empty. Its lower time bound is 0 and the upper time bound is 3 seconds). 

— REPLENISH (that fully replenishes the machine. Its lower time bound is 0 
and the upper time bound will be discussed later) . 

— RETURN MONEY (that gives the customer its money back. Its lower time 
bound is 0 and the upper time bound is 3 seconds) 

If the machine is to be placed inside a convenience store, then as soon as the 
machine is emptied a clerk will replenish it, and therefore, a reasonable upper 
time bound for the replenishing action might be 2 minutes. Then, the following 
action shows a feasible implementation: 

i^candyim) > 0)?- RETURN PRODUCT 

+ i#candy{m) = 0)7 ■, REPLENISH ; RETURN PRODUCT . 

If the machine is to be placed in a subway station, then it may be expected 
that it will not be replenished more than twice a day. Then, the upper time 
bound for the replenishing action might for instance be 12 hours. In this case, the 
previously described process does not satisfy the specification, but the following 
one does: 

{#candy(m) > 0)7 -RETURN PRODUCT 
+ {#candy(m) = 0)7-, RETURN MONEY . 



4 Omega Closure Fork Algebras 

Equational reasoning based on substitution of equals for equals is the kind of 
manipulation that is performed in many information processing systems. The 
role of equational logics in development of formal methods for computer science 
applications is increasingly recognized and various tools have been developed 
for modeling user’s systems and carrying through designs within the equational 
framework (Gries and Schneider Gries P). 

In this section we present the calculus for closure fork algebras (CCFA), an 
extension of the calculus of relations (CR) and of the calculus of relations with 
fork [ 3 . Because of the non enumerability of the theory of dynamic logic, the 
CCFA cannot provide an adequate algebraization. In order to overcome this re- 
striction we will define the calculus w-CCFA by adding an infinitary equational 
inference rule. From the calculus we define the class w-CFA of the omega closure 
fork algebras and a representation theorem is presented, showing that the Kleene 
star as axiomatized, indeed characterizes reflexive-transitive closure. 

In the following paragraphs we will introduce the Calculus for Closure Eork 
Algebras (CCFA). 

Definition 8. Given a set of relation symbols R, the set of CCFA terms on R 
is the smallest set TCCFA(i?) satisfying: R U RelVar U { 0, 1, 1’ } C TCCFA(i?). 
If X G TCCFA(i?),then C TCCFA(i?). If x,y G TCCFA(ii),then 

{x + y,x-y,x;y,xVy} C TCCFA(R). 
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The symbol * denotes a choice function (see §3], which is necessary in 
order to prove Thm. ^ 

Definition 9. Given a set of relation symbols R, the set of CCFA formulas on 
R is the set of identities ti = t 2 , with ti,t 2 & TCCFA(i?). 



Definition 10. Given terms x,y,z,w G TCCFA(R), the identities defined by 
the following conditions are axioms: 

Identities axiomatizing the relational calculus 
The following three axioms for the fork operator: 

xVy=(a:;(rVl))-(y;(lVl>)), 

(xVy) ;(zVwy= (x;z) ■ (y;w) , 

(vviyv(ivry < v. 

The following three axioms for the choice operator, taken from jn\ p. 324]: 

1; (x-x^) ; 1 = l;a:; 1. 

The following two axioms for the Kleene star: 

a;* = r + x;x*, x*;y < y + x* ; (y ■ x;y) . 



Let us denote by I’l/ the partial identity Ran(lVl). Then, the axiom 
1 ; 1’ C 7 ; 1 = 1 (which states the existence of a nonempty set of non-splitting ele- 
ments) is added. 

The rules of inference for the calculus CCFA are those of equational logic. 
Note that x* is the smallest reflexive and transitive relation that includes x. 

Definition 11. We define the calculus w-CCFA as the extension of the CCFA 
obtained by adding the following inference rul^: 

h V < y x^ < y h < y 
X* <y 



Definition 12. We define the class of the omega closure fork algebras (w-CFA) 
as the models of the identities provable in w-CCFA. 

The standard models of the w-CCFA are the Proper Closure Fork Algebras 
(PC FA for short). In order to define the class PC FA, we will first define the class 

• PCFA. 

® Given i > 0, by x* we denote the relation inductively defined as follows: = x, and 

rp • rp’^ 

Jb - — " ^ « 



102 



Gabriel A. Baum, Marcelo F. Frias, and Thomas S.E. Maibaum 



Definition 13. Let E he a, binary relation on a set U, and let i? be a set of 
binary relations. A •PC FA is a two sorted structure with domains R and U 
( i?, {7, U, n,“, 0, A, such that 

1. [jR<ZE, 

2. -k : U X U ^ U is an injective function when its domain is restricted to the 
set E, 

3. If we denote by Id the identity relation on the set U, then 0, E and Id belong 
to R, 

4. R is closed under set choice operator defined by the condition: 

Qx and |a;| = 1 <1=^ a; 0. 



5. R is closed under set union (U), intersection (n), complement relative to 
E (~), composition of binary relations (;), converse (“), reflexive-transitive 
closure (*) and fork (V), defined by SVT = { {x,k{y,z)) : xSyandxT z}. 

Note that x^ denotes an arbitrary pair in x, then x^ is called a choice oper- 
ator. 

Definition 14. We define the class PCFA as Rd* PCFA where Rd takes reducts 
to structures of the form ( R, U, n,“, 0, if, ; , /d, V, *, * ). 

Note that given A G PCFA, the terms and (IVl’)"" denote respec- 

tively the binary relations { {akb,a) : a,b G A} and { (a * 6, 6) : a,b G A}. Thus, 
they behave as projections with respect to the injection *. We will denote these 
terms by tt and p, respectively. 

From the operator fork we define x®y = (7r;a;) V {p;y). The operator 0 
( cross ) , when interpreted in an proper closure fork algebra behaves as a parallel 
product: a;(8)y = { (a * 6, c* d) : (a, c) G a: A {b,d)Gy}. 

A relation R is constant if satisfies: R;R < 1’, 1;R = R, and R;1 = 1. 
Constant relations are alike constant functions, i.e., they relate every element 
from the domain to a single object^. We will denote the constant whose image 
is the value a by Ca. 

Definition 15. We denote by FullPCFA the subclass of PCFA in which the re- 
lation E equals C/ x C/ for some set U and R is the set of all binary relations 
contained in E. 

Similarly to the relation algebraic case, where every proper relation algebra 
(PRA) A belongs tc0 ISPFullPRA, it is easy to show that every PCFA belongs 
to ISPFullPCFA. We finally present the representation theorem for w-CFA. 

Theorem 1. Given A G tu-CFA, there exists B G PCFA such that A is isomor- 
phic to B. 

This comment is in general a little strong and applies to simple algebras, but is 
nevertheless useful as an intuitive aid for the non specialist. 

® By I, S and P we denote the closure of an algebraic class under isomorphic copies, 
subalgebras and direct products, respectively. 
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5 Interpretability of P / PML in oj-CCFA 

In this section we will show how theories on P / PML can be interpreted as equa- 
tional theories in w-CCFA. This is very useful because allows to reason equation- 
ally in a logic with variables over two different sorts (individuals and relations) . 

Definition 16. Let S, F and P be sets consisting of sort, function and rela- 
tion symbols, respectively. By uj-CCFA^ {S, A, F, P) we denote the extension of 
cj-CCFA obtained by adding the following equations as axioms. 

1. For each s,s' £ S {s ^ s'), the equations I’g-FlV = IV and I’s-Tg/ = 0 
(elements from types do not split, and different types are disjoint). 

2. For each a € A with ia(a) = si . . . Sfc and oa(a) = s^ . . . sV the equation 

(I’si® ■ ■ ■ ;a; (I’s;® ■ ■ ■ ®1’<) = a. 

3. For each / : si . . . Sk ^ s € F, /;/ -h I’s = I’s and (I’si® ;/ = /, 

stating that / is a functional relation of the right sorts. 

4. For each p of arity si . . . Sfc in P, the equation (1’^^ (g) • • • (gl’s^) ;pA = P, 
stating that p is a right-ideal relation expecting inputs of the right sorts. 



Definition 17. A model for the calculus lu-QQF/K^ {S, A, F, P) is a structure 
A — where: A G tu-CFA. is a set of disjoint 

partial identities, one for each sort symbol in S. A-^ is a set of binary relations, 
one for each action symbol a G A. Besides, if ia{a) = si . . . Sk and oa(a) = 
s'l ... s'^, then satisfies the condition in item m of Def. m is a set of 
functional relations, one for each function symbol in F . Besides, if / : si . . . Sfc ^ 
s, then satisfies the conditions in item0 of Def. ^3 P^ is a set of right ideal 
relations, one for each predicate symbol p G P. Besides, if p has arity si . . . Sk, 
then p-^ satisfies the conditions in item 0 of Def. m m : RelVar — > A. 

Noce that the mapping m in a u>-CCFA^ {S, A, F, P) model extends homo- 
morphically to arbitrary relational terms. For the sake of simplicity, we will use 
the same name for both. 

In the following paragraphs we will define a function mapping formulas from 
P / PML{S, A, F, P) to w-CCFA^(S', A, F, P) formulas. In the next definitions, cr is 
a sequence of numbers increasingly ordered. Intuitively, the sequence cr contains 
indices of those individual variables that appear free in the formula (or term) 
being translated. By Ord{n, cr) we will denote the position of the index n in the 
sequence cr, by [cr0n] we denote the extension of the sequence cr with the index 
n, and by cr(fc) we denote the element in the A:-th position of cr. In what follows, 
t’" is an abbreviation for t; ■ ■ ■ ;t {n times). For the sake of completeness, is 
defined as 1’. We will denote by IndTerm{F) the set of terms from P / PML built 
from the set of constant and function symbols F. By RelDes{K) we denote the 
set of terms from w-CCFA that are built from the set of relation constants K. 

Definition 18. The function V : IndTerm{F) — > RelDes{F), mapping individ- 
ual terms into relation designations, is defined inductively by the conditions: 
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„ . i — / ^;7T ifi is not the last index in a, 

■ - I ^;Length(a)-l jf • jg 

2 . 6 a{f{ti, . . .,tm)) = ' ' ■ V 5 ^(tm));/ for each / G F. 

Given a sequence a such that Length{cr) = I and an index n (n < uj) such 
that Vn has sort s, we define the term Z\o-,n {n < uj) by the conditiorj^ 

^ — *^cr('r’(7(fc+l))^ ’ ' ' ^ ^(7 

if k = Ord(n, [a 0 n]) < I, 
Sa{vcr{i))'^ ■ ■ ■ Vi5<^(uo.(i_i)) Vis if Ord{n, [cr 0 n]) = 1. 



Notation 1 Let cr be a sequence of indices of individual variables of length 
n. Let x= {xi, . . . ,Xk) be a vector of variables whose indices occur in a. We 
will denote by ^ the relation that given a tuple of values for the vari- 
ables whose indices appear in cr, projects the values corresponding to the vari- 
ables appearing in x. For example, given cr = ( 2 , 5 , 7 , 9 ) and x= (v2,vy), 
77 ^- = { (oi * 02 * 03 * 04, oi * as) : oi, 02, 03, 04 G A }. Similarly, Arrange 
denotes the relation that, given two tuples of values (one for the variables with 
indices in cr and the other for the variables in a; ) , produces a new tuple of values 
for the variables with indices in cr updating the old values with the values in 
the second tuple. For the previously defined cr and x, we have Arrange — = 

{ ((oi * 02 * 03 * 04) * (61 * 62) , ^1 * 02 * fo * 04) : 01,02,03, 04, 61, 62 G Ay. Note 
that these two relations can be easily defined using the projections tt and p 
previously defined. 

Definition 19 . The mappings M : RT{S) RelDes{A) and : For{S) — *■ 
RelDes{A U F U P) are mutually defined by 

M{a) = a for each o G A U RelVar, M{V si...sk) = I’si 0 ■ ■ • 0 l’sfc, 
m\r*) = M{R)\ m\r+S) = M{R) + M{S), 

m\r-S) = M{R)-M{S), M{R-S) = M{R)-,M{S), 

M{a 7 )=T,^{a)-V, 

Tcr{p{ti,. . .,tk)) = {Scr{ti)V ■ ■ ■ V 6 cr{tk)) ;p, Tcr{^a) = Ta{a), 

To- (( 3 u„ : s)a) = Z\cr,„ ; T[g.©„] (a) , To{a V / 3 ) = To{a) + To{f 3 ), 

To ((x iR^ y)aj = 

i ^ ]; Arrange -^-,To{a) ■ ((ui ; <) • G|(fl)) ; 1 • ((u„ ; >) • Gu(_r)) ; 1. 

We will denote by F(,j-ccfa the provability relation in the calculus w-CCFA. 
The next theorem states the interpretability of theories from P / PML as equa- 
tional theories in w-CCFA. 

Theorem 2 . Let F U { </? } he a set of P/ PML formulas without free individual 
variables. Then, F \=p/pml T (7) = 1 : 7 G F } F^j-ccfa = 1 - 



By Is we denote the relation l;l’s. 
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6 Conclusions 

We have presented a logic {P/PML) for formal real-time systems specification 
and construction. This logic is an extension of dynamic logic by considering 
arbitrary atomic actions, an operator for putting processes in parallel, and ex- 
plicit time. We have also presented an equational calculus in which theories of 
P/PML can be interpreted, thus enabling the use of equational inference tools 
in the process of systems construction. 
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Abstract. Our work intends to verify reactive systems with event mem- 
orization specified with the reactive language Electre. For this, we define 
a particular behavioral model for Electre programs. Reactive Fiffo Au- 
tomata (RFAs), which is close to Fifo Automata. Intuitively, a RFA is 
the model of a reactive system which may store event occurrences that 
must not be immediately taken into account. We show that, contrarily 
to lossy systems where the reachability set is recognizable but not effec- 
tively computable, (1) the reachability set of a RFA is recognizable, and 
(2) it is effectively computable. Moreover, we also study the relation- 
ships between RFAs and Finite Automata and we prove that (3) from 
a trace language point of view, inclusions between RFAs and Finite Au- 
tomata are undecidable and (4) the linear temporal logic LTL on states 
without the temporal operator next is decidable for RFAs, while LTL on 
transitions is undecidable. 



1 Introduction 

Objectives. The aim of this work is to verify reactive systems with event 

memorization specified with the reactive language Electre |GHf)5j . A reactive pro- 
gram is supposed to react instantaneously to occurrences of events. A particular 
feature of the Electre language is that it is possible to store occurrences of events 
in order to process them later. The number of stored occurrences is unbounded. 
Consequently the behavioral model for an Electre program has an unbounded 
number of states and verification with standard model-checking techniques can- 
not be used on this model. Roux & Cassez have verified Electre programs by 
bounding the number of stored occurrences irrnFTi . This paper deals with anal- 
ysis of transition systems produced by compilation of Electre programs, without 
any assumption on the boundedness of the number of stored occurrences. 

Related work. The behavioral model for Electre programs is close to 

Communicating Finite State Machines (CFSMs) or Fifo Automata. However, 
this class has the power of Turing Machines since it’s possible to simulate any 
Turing Machine by a system of two CFSMs The reachability prob- 

lem is decidable for systems with the recognizable channel property jPa,c87j . but 
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this result cannot be easily used in general because this property is undecid- 
able. Decidability results have been established for particular classes of Fifo Au- 
tomata. The reachability problem is decidable for linear Fifo Automata, which 
can be simulated by colored Petri Nets EHHzicnna. The reachability prob- 
lem is decidable for lossy systems and the reachability set of a lossy system is 
recognizable fKm\ . but it is not effectively computable EFFna- Half-duplex 
systems and quasi-stable systems have a recognizable reachability set and it is 
effectively computable EUZI. Semi-algorithms computing a symbolic represen- 
tation for the reachability set of a Fifo Automaton have also been established 




Our contribution. Our work intends to establish similar results for the new class 
of Reactive Fiffo Automata (RFAs) fFRp that models Elect re programs. The 
three main results of the paper are: 

1. the reachability set of a Reactive Fiffo Automaton is recognizable (sectionEJ, 

2. the reachability set of a Reactive Fiffo Automaton is effectively computable 
(section 

3. the linear temporal logic LTL without the temporal operator next (LTL\X) 
is decidable for Reactive Fiffo Automata (section E|) . This result especially 
allows to check liveness and safety properties. 

We also analyse the relationships between Reactive Fiffo Automata and Finite 
Automata and we prove that from a trace language point of view, inclusions 
between RFAs and Finite Automata are undecidable. Semantic models of other 
reactive languages are finite automata: in this sense, the expressiveness of Electre 
is strictly greater as the semantic model is a RFA. 

Outline of the paper. Section 13 recalls several definitions we use throughout 
the paper. In section |3 we introduce the behavioral model for Electre programs 
which is a Reactive Fiffo Automaton. Section 0| is devoted to the proving that 
the reachability set of a RFA is recognizable and effectively computable. In 
section 0 we examine the relationships between Reactive Fiffo Automata and 
Finite Automata. Eventually we give in section E directions for future work. 

Several proofs are not included in this paper, but they can be found in a 
longer version Q 

2 Preliminaries 

Here are some basics on words and transition systems. Let E be an alphabet 
(a finite, non empty set). We write S* for the set of all finite words xiX 2 ■ ■ ■ Xk 
with Xi G S, and e is the empty word. For two words x,y € S*, Xujy is their 
shuffle: Xi±jy = {xiyiX 2 y 2 ■ ■ ■ XnVn / x = xiX 2 ---Xn and y = yiy 2 “-yn with 
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Xi,yi G E*}. li X G E* is a word and e G E is a, letter, we write \x\e for the 
number of occurrences of e in x. For two words x,y G E* , a; is a subword of y iff 
y G xluE*. 

A transition system is a structure TS = (5, sq,A, — >) where S' is a set of 
states, So is the initial state, A is a finite set of actions and — s-CSxAxSis 
a set of transitions. We note — > for the reflexive transitive closure of — *■. An 
execution is a finite or infinite sequence of transitions ^Si > s'^ such that 

for all z > 1, Si+i = s'. Furthermore, we write si Sn+i whenever we 

have Si > S2 > S3 ■■■ s„ > s„+i. A state s is said to be reachable in TS 
iff there exists an execution from the initial state sq — ^ s. The reachability set 
of TS, noted RS(TS), is the set of all reachable states in TS. 

Let us also recall some decision problems for transition systems. The Reacha- 
bility Problem is, given a transition system TS and a state s oiTS, to determine 
whether s is reachable in TS. The Reccurent Reachability Problem is, given a 
transition system T S and a state s of T5', to determine whether there exists an 
execution in TS” in which s appears infinitely often. The Finite Reachability Set 
Problem is, given a transition system TS, to determine whether the reachabil- 
ity set oiTS is finite. The Inclusion of Reachability Sets Problem is, given two 
transition systems TSi and TS 2 , to determine whether the reachability set of 
TSi contains the reachability set of TS' 2 . The Termination Problem is, given a 
transition system TS, to determine whether all executions in TS' are finite. 



3 RFA: A Model for Reactive Systems with Event 
Memorization 

Electre is a reactive language aimed at specifying and programming real-time ap- 
plications. Due to the types of these applications, we need to cope with events of 
different nature, for instance: a relevant classification concerns their memoriza- 
tion properties. To this extent, Electre provides for two sorts of events: fleeting 
or memorized. 

These features are essential in the programming of some automated applica- 
tions: real industrial experiments have been carried out in the held of embedded 
systems in cars and in the avionics (namely the Snecma company 0 and the 
Cert/Onera laboratory [IBBnFFi.il ^ ) but of course they are too big to be re- 
ported in this paper. 

In order to understand the need for memorization of events, consider a con- 
veyor which brings items to be manufactured at a rate which may differ from 
the rate of the manufacturing machine. To process all the incoming items, we 
have to memorize the pending items. Thus, the ability of the language to express 
memorization of events can ease the task of specification. This particular feature 
becomes crucial in the case there are many events the memorizations of which 
can be interleaved. 

^ Work partially supported under a three years grant number 765 358 L. 
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To deal with the memorization, we start with a finite model of Electre pro- 
grams (Control Automaton, Definition Pi which does not take into account the 
memorization. Then, a list of stored occurrences of events is added to this finite 
model in order to deal with the ordered and multiple memorizations of the events 
occurrences. Thus, we obtain a Reactive Fiffo Automaton (RFA, Definition P : 
a stored occurrence of an event is processed as soon as possible and priority is 
given to the oldest stored occurrence, hence the name First In First Fireable 
Out (fiffo)- 

This memorization issue is completely defined in the semantics of the Electre 
language: this accounts for the semantic model of programs (RFA) which is the 
subject of this section. 

The RFA model can be used for simulations or real executions (tools have 
been developed namely SILEX for simulations, exile for executions). A specific 
real-time executive based on the RFA model is run in exile and provides an 
efficient execution. 

In this section, we first give a brief description of the language. Then, we de- 
fine a behavioral model for Electre programs which is a Reactive Fiffo Automaton 
(RFA). 

3.1 The Electre Reactive Language 

Overview of the Language. An Electre program describing the behavior of a 
process is made of three types of components: 

modules: which are tasks of the process without blocking points: each instance 
of a module is a piece of executable code which can be either active, pre- 
empted or idle, 

events: which can be software or hardware originated: each occurrence of an 
event is a signal which can be either memorized or not, 
operators: combining the two previous components (for instance parallelism, 
sequence, preemption or launching (of a module by an event), repetition, 
and so on). 

The term reactive means that the system controlling the process is to re- 
act instantaneously to any event occurring in the environment. As a running 
example, we will focus on an Electre program for describing the well-known 
readers/ writers problem. 



The Readers/ Writers Problem. The readers/writers problem was originally 
stated and solved in |CHP71| . There are several variations on this problem, 
all involving priorities. We specify our readers/ writers problem here, with the 
following requirements: 

— several readers can read the book simultaneously, 

— when a writer writes the book, no other process (reader or writer) can access 
the book. 
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To specify the problem in the Elect re language with two readers and two 
writers, we proceed as follows: 

— the processes readers and writers are what we called modules 

• READi (respectively READ 2 ) refers to the module for reader 1 (re- 
spectively reader 2) to read the book, 

• W RIT E refers to the module for both writer 1 and writer 2 to write the 
book, 

— a request to read or write the book is an event 

• ri (respectively V 2 ) is a request for reading the book made by reader 1 
(respectively reader 2), 

• wi (respectively W 2 ) is a request for writing the book made by writer 1 
(respectively writer 2). 

An Elect re program that specifies the behavior of the system is presented in 
Figured 



PROGRAM Readers&Writers ; 




loop 

await 

{ ri : 


READi 1 T2 


READ 2 } 


or 

#wi : 


WRITE 




or 

#W2 : 


WRITE 




end loop ; 

END Readers&Writers 


; 





Fig. 1. Readers/ writers with no multiple memorization for reading requests 



We shall not go into details about the syntax of the Electre language; the 
meaning of the above written program can be summed up as follows: 

1. a request for reading (ri or r 2 ) is a standard event (no qualifier before them); 
this means that 

— if the request can not be taken into account at the time the event occurs 
then the request is: 

• ignored if it has already been stored; 

• stored otherwise; 

(it means that a standard event is memorized at most once) . 

— on the contrary if the request can be taken into account, the correspond- 
ing module {READ\ for request r\) is launched (this is the meaning of 
the symbol “:”), 

2. the activities of readers 1 and 2 may be run simultaneously (symbol “||”) 
and when READ\ is being run request T 2 can be taken into account (the 
converse when READ 2 is being run holds). 
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3. the writing activity WRITE and the parallel activity READi and READ2 
are in mutual exclusion (symbol “or”), 

4. the requests for writing wi and W2 can be satisfied one at a time (symbol 
“or”) between the events wi and W2', 

5. the program consists in a cycle (structure “loop — end loop”) of waiting 
until one of the events ri, T2, w\ or W2 occurs (structure “await”), 

6. wi and W2 are multiple storage events (prefixed by “#”, Em in Definition^: 
occurrences of these events may be memorized an unbounded number of 
times. 

ri and T2 are single storage events (not prefixed. Eg in Definition only 
one occurrence of these events may be memorized at one time. 

Memorizable events are either multiple or single storage events. Other events 
are fleeting events. 

3.2 Prom Electre Programs to RFAs 

The first step towards the behavioral model for Electre programs is a Control 
Automaton. Each transition of this automaton indicates what is to be done upon 
the occurrence of event. It is built according to the semantics of the language 

On the example of the readers and writers, we obtain the automaton depicted 
in Figure 0 

It must be interpreted as follows: 

• each X module completion (written end-g) is a fleeting event, 

• immediate processing: whenever the occurrence of an event x can be 

taken into account, the transition labeled x is triggered (e.g. > gi), 

l.(a) memorization/sending: whenever the occurrence of a memorizable event 
X cannot be taken into account, it is stored, and the transition is labeled 
!x (e.g. 92 — — ^92); moreover, there is no state change in the Control 
Automaton (Definition [0 l-(o)), 

1.(6) batch processing/reception: whenever a stored occurrence of a mem- 
orizable event x is processed, the transition labeled ?x is triggered (e.g. 

9o — — — *-93). Batch processing an event has the same effect as the im- 
mediate processing of the same event (Definition d 1.(6)), 

2. the automaton is complete w.r.t. memorizable events (Definition^, 2.). 

This does not state when the transitions are triggered. We will define the 
operational semantics of the Control Automaton in Definition El 

In the sequel, we focus on the memorizable event: consequently, immediate 
processing transitions are abstracted in r-transition (e.g. 90 — — — > 91 becomes 

Now, we can give a formal definition of a Control Automaton: 

Definition 1 (Control Automaton). A Control Automaton is a finite tran- 
sition system C = (Q, 90, A, — s-c), where: 
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Fig. 2. The Reactive Fiffo Automaton for the readers/ writers 



• Q is a finite set of control states, and, 

• qo is the initial state, and, 

• ^ =({!,?} X A) U {t} is a finite set of actions such that S is an alphabet 
and Em, Eg are subsets of E verifying: Em H Ag = 0 and Em ^ Eg = E, 
and, 

• is any finite set of transitions, verifying the two following properties: 

1. for all q,q' G Q and e G E: 

(a) if q^cd' , then q = q' . 

(b) ifq^cd', then q^cd' , 

Ig 

2. for all q G Q and e G E, we have either q^cd or there exists a state q 

?e 

such that q—^cd - 

Ig 

For every control state q G Q, we write Eg = {e G E / q—^cd}- 

Remark 1. Every reachable state of a Control Automaton is reachable by an 
execution containing only r-transitions. 
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A Control Automaton is built for every Electre program. A fiffo queue is then 
added to the Control Automaton to take the memorisation and batch processing 
of events into account. This is formally defined by the Reactive Fiffo Automaton 
(RFA). 

Definition 2 (Reactive Fiffo Automaton). The Reactive Fiffo Automaton 
R associated with a Control Automaton C = (Q, 90 )({!j?} x 17) U {t},— >c) is 
the potentially infinite transition system R = (S', sq) ~^i?) defined as follows: 

• S = Q X E* is the set of states, and, 

• So = {qo,s) is the initial state, and, 

• ^ = ({!,?} X F7) U {r} is the set of actions, and, 

• the set of transitions is the smallest subset of S x Ax S verifying: 

1. if q — >c<]' then forall w G Eg* , (q,w) — >ffq',w), and 

2. if q^cQ' then forall w G Eg* , {q,w)^ffq',w'), where w’ is defined by: 

(a) w' = w if e G Eg and |w|e > 1, 

(b) w' = we otherwise, and 

3. if q~^cQ' then forall Wi G Eg*,W 2 G E* {q,w\ew 2 )~^R{q' ,W\W 2 ), 



Definition 3 (Stability). A state {q, w) of a Reactive Fiffo Automaton is sta- 
ble iff w G Eg*. Otherwise, it is unstable. 

The definition of a Reactive Fiffo Automaton corresponds to the informal 
semantics of the fiffo queue given in the beginning of this section: 

— conditions 1 and 2 give priority to batch processings: stored occurrences of 
events are processed as soon as possible, 

— condition 3 corresponds to the fiffo order: in a batch processing, priority is 
given to the oldest stored occurrence. 



Example 1. Keeping our readers/ writers example, let us consider the RFA R 
associated with the Control Automaton C described in Figure El An execution 
of R is for example: 



(qo,e) ^ (<73,e) (<j3,ri) AEE (g3,nw)2) ^ {q3,riW2r2) 



(go, riW 2 T 2 ) 



, end„EAD2 , , 

• • • (g3,e) < (qo,W2) < (56,W2) 



Wo / X AUo / \ ^'^^FtEA.D-\ , . 7vo / \ 

^ ' ^(54,102)^^ (gi,W 2 r 2 ) 



Three relevant observations can be done on this example : 

— {qo,r\W 2 r 2 ) is an unstable state: priority is given to the processing of the 
first memorized occurrence (ri), 

— hence, even though 53 Ely q^ , , , is an execution of the Control 

Automaton C, (q3,riW2r2) {qQ,nw 2 r 2 ) iq3EiW2r2) ■ ■ ■ is 

not an execution of the RFA R, because the last transition is not a transition 
of R, 



114 Gregoire Sutre et al. 



— in the transition (qi,W2r2) - — > {qi,W2) above, it can be noticed that the 
processing of the memorized occurrences are done in the First In First Fire- 
ahle Out order (which is not strictly the fifo order). 



4 Computation of the Recognizable Reachability Set of a 
RFA 

We prove, in this section, that the reachability set of a Reactive Fiffo Automaton 
is recognizable and that it is effectively computable. This result especially allows 
us to decide the Reachability Problem, the Finite Reachability Set Problem and 
the Inclusion of Reachability Sets Problem for RFAs. 

In the following, we consider a Reactive Fiffo Automaton R associated with 
a Control Automaton C = {Q^qo, ({!,?} x T') U {r},^). 

Our first result states that the reachability set of a Reactive Fiffo Automaton 
is recognizable. This property comes essentially from condition l.(a) of Defini- 
tion n When an event e may be memorized, it is possible to memorize e” for 
any n > 0. 

Intuitively speaking, a RFA cannot count, but it takes the fiffo order (which 
is very close to the fifo order) into account. The fact that it cannot count allows 
the recognizability of its rechability set. Petri nets are orthogonal: they allow 
to count but not to retain the fifo ordering. So these two partially analysable 
models are based on different assumptions. 

Hence, the fiffo queue of a RFA behaves like a fiffo queue capable of both 
lossiness and duplication errors fCFPDBj . It follows that the reachability set of a 
RFA is recognizable. 

Theorem 1. The reachability set of R is recognizable. 

Proof. The proof is similar to the proof that the reachability set of a lossy 
system is recognizable isins). Let ^ be the well ordering over Q x E* defined 
by (g, w) ^ ((/', w') iS q = q' and w is a subword of w'. Assume the reachability 
set RS(i?) of R is downward closed. Then Compl(RS(i?)) is upward closed. Since 
^ is well ordering, Compl(RS(i?)) has a finite set M of minimal elements, which 
gives a recognizable description of Compl(RS(i?)): 

Compl(RS(R)) = U {q,w^E*) 

(q,w)GM 



As Compl(RS(i?)) is recognizable, we obtain that RS(i?) is recognizable. It re- 
mains to prove that RS(i?) is downward closed. 

Let (q,wiew2) S RS(i?), with wi,u>2 G E* and e G E. We show that 
(q,wiW2) G RS(i?). Since {q,wiew2) G RS(i?), there exists an execution tt = 
(qo,£) — ^ {q,wiew2) in R, which may be decomposed as follows: 



Ti" = (< 7 o,e) (q,x) (q,xe) (q,wiew 2 ) 
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where the event occurrence e memorized by the transition t = (g, x) — ^ (g, xe) 
is the event occurrence e in w\ew 2 - Hence |cr 2 |?e < \x\^ and tt' defined below is 
still an execution of i?, as it is possible to remove the transition t from tt |3 

= (go,e) (g,a;) (g, W1W2) □ 

However, this does not prove that the reachability set of a Reactive Fiffo 
Automaton is effectively recognizable. For instance in the case of lossy systems, 
it has been shown that the reachability set is recognizable, but not computable 

Ezznni- 

The following of this section is devoted to the proving that the recognizable 
reachability set of a Reactive Fiffo Automaton is computable. 

Definition 4. For every q G Q, we call language of the fiffo queue in the control 
state q, written Cn{q), the set: 

^niq) = {w G S* / (go,e) ^ {q,w)} 

It is clear, according to the definition of a Reactive Fiffo Automaton that if a 
control state q G Q is not reachable in the Control Automaton C then Cn{q) — 0. 
We will in the following deal with the control states g G RS(C) reachable in C. 

Notation. For every F C E, we write S{F*) for the set of words over F contain- 
ing at most one occurrence of each single storage event, S{F*) = {w G F* / \/ e G 

Ss, \w\e < 11 - 

Let us notice that for any F C E, the language S{F*) is regular. More- 
over, according to the definition of a Reactive Fiffo Automaton, a single storage 
event can appear at most once in the fiffo queue part of a reachable state. More 
formally: 

Remark 2. For all reachable state (g, w) of i?, we have w G 5(i7*). 



Lemma 1. Let q G RS(C) be a control state of R reachable in C. If w G S{E*) 
then {q,w) is reachable in R. 

Using Lemma n and Remark 0 it is easy to infer that the recognizable set 
of stable reachable states in R is computable, because it may be written as 

UqGRS(C)(9:‘5(A'*)). 

We will now, in the following lemma, also deal with the unstable reachable 
states of R. 

Lemma 2. Let (q,w) be a stable reachable state of R and {q,w) — ^ {qi,w) 
{q',w') be an execution of R. Then we have: 

® Intuitively, the memorized event occurrence e could have not occured, since memo- 
rization does not change the control state 
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1. 6162 • • • Cfc S S{E*) and, 

2. w' e 5(x*), where X = Sq\ (Eg n {ei,e 2 ,- • • , 6 ^}) and {ei, 62 , • • • ,6k} 
denotes the set associated with the multiset consisting of the elements ei, 

62 , • • • , 6fc- 

We now define, for all (q,F) € Q x 2^, the set CoReach(g, F), which will 
allow us to prove that the reachability set of R is recognizable. Intuitively, we 
define CoReach(( 7 , F) so that if a control state p is in CoReach(g, F), then the 
states in (q,S{F*)) are reachable from the set of stable states (p,S{E*)) and 
hence are reachable in R. 



Definition 5 (CoReach). Let q G Q be a control state of R and F C E be a 
subset of E. The set CoReach(g, F) C Q is the set of control states p G Q such 
that there exists an execution p > qi — — ^ ^ — > q in C verifying: 



1 . 6162 • • • Cfc S S{E*) and, 

2 . F = Ep \ {Eg n {ei,C2, • ■ • ,efc}). 

Let us remark that for all (g, F) G Qx2^, the set {F C F / CoReach(g, F) 7 ^ 
0} is finite. The following theorem gives a precise description of the reachabil- 
ity set of a Reactive Fiffo Automaton, which will allow us to prove that the 
recognizable reachability set of a Reactive Fiffo Automaton is computable. 



Theorem 2. For every control state q G RS(C) reachable in C , we have: 



£,(g) = 5(F*) y 



U S{F*) 

FCS / CoReach(g,F)5^0 



Proof. Let us prove the inclusion from left to right. Assume q G RS(C) and 
w G Cniq). Two cases may arise: 

— (g, w) is stable: then according to the definition of a stable state, we have 
w G Eg*. In this way. Remark |21 leads to w G 5(F^. 

— (q,w) is unstable: as w G Cniq), there exists an execution tt = (go,£) — ^ 
(q,w) in R. Since (go,£) is stable, tt contains a stable state, and we call 
(qs,Ws) the last stable state of tt. As (q,w) is unstable, we come to (q,w) yf 
(qs,Ws). Hence (qs,Ws) is the source of a transition in tt and we get that tt 
may be written as: 

TT = {qo,s) ^ {qs,Ws) {qi,wi) {q,w) 



As (qs,Ws) is the last stable state of tt, we obtain: 

• on one hand a ^ {7} x E and on the other hand a ^ {!} x F because 
otherwise, (qi,wi) would be a stable state. Therefore a = t and wi = Wg. 

• every state in (gi,i(;i) {q,w) is unstable. Therefore, a G ({?} x F)* 

and we assume in the following that a is written ?ei?e 2 • • •?efe. 
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Let us assume that F = Sq^ \ (I 7 sn{ei, 62, • • • , efc}). We can apply Lemma 0 
so that: ^ ^ ^ 

• eiC2 • • • Cfe G Moreover ^ q\ q is an execution 

of C. Therefore qs G CoReach(5, F) so that CoReach(g, F) ^ 0 . 

• w G S{F*). 



Finally: 



W G S{S*q) y 



U S{F*) 

FCS / CoReach(<j,_F)5^0 



Let US prove the inclusion from right to left. Assume q G RS(C). We notice 
that according to Lemma ^ for w G (q,w) is reachable in R. Now 

assume CoReach(g, F) ^ 0 and w G S{F*). Since CoReach(g, F) ^ 0 , there 



exists a control state p and an execution p — f-s- qi 



?ei?e2-"?efc 



q in C such that: 



- eiC2 • • • 6fc G S{S*) and, 

- F = Ep\{Ss n {ei, 62, • ■ • , 6fc}). 

As w G S{F*), we have for all e G Fg: 

- if e G {ei, . . . , Ck} then e ^ F, hence e ^ alph(w). Therefore |(ei . . . efe)-w|e = 

|ei ...6fe|e < 1. 

- if 6 ^ {ei, ... ,6fe} then |(ei . . . 6fe) • w|e = \w\e < 1. 

Consequently, in both cases, we have |(ei...6fe) • w\e < 1. We remark that 
(ei . . . ek)-w G Fp*, hence (ei . . . efc) • w G S{E*). We can apply Lemmadso that 
(p, (ei . . . 6fc) • w) is reachable in R. Because (p, (ei . . . Cfc) • w) — ^ (gi, (ei . . . 6fc) • 

w) — — — A (g, re) is an execution of R, we obtain that (g, w) is reachable in R. 
Finally: 

w G □ 

Now let us present the main result of this section which says that a regular 
expression for the recognizable reachability set of a Reactive Fiffo Automaton is 
effectively computable. 

Theorem 3 . There exists an algorithm computing a regular expression for Cfi{q) , 
for every q G Q. 

From the previous theorem, one may easily deduce the following corollary. 

Corollary 1 . The Reachability Problem, the Finite Reachability Set Problem, 
the Inclusion of Reachability Sets Problem, the Control State Reachability Prob- 
lem and the Termination Problem are decidable for RFAs. 

While recognizability of the reachability set of a Reactive Fiffo Automaton 
comes essentially from condition l.(a) of Definition ^ effectivity crucially de- 
pends on condition 2 . of Definition □ As a matter of fact, let us show that if 
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we extend Control Automata in removing condition 2. of Definition ^ then the 
reachability set is still recognizable but it becomes not effectively computable. 
Indeed, for every machine capable of both lossiness and duplication errors, one 
may construct a generalized RFA having the same reachability set. Now it is 
known that machines capable of both lossiness and duplication errors have a 
non effective recognizable reachability set ICFPM . 

Example 2. Let us consider the RFA R modelling our readers/ writers example. 
The reachability set of i? is: 



iG{0,l, - ,6} 



with ^0 = ^13 = {ri,r2, Wi, W2}, ^1 = ^5 = {r2, wi, W2}, F2 = Fq = {ri, wi, W2} 
and F4 = {wi,W2}- The state {qb,wir2W2W2) is reachable while the state 

(g5,ri) is not reachable. All the control states of R are reachable. The reacha- 
bility set of R is infinite and R does not terminate. 



Remark 3. We have implemented an optimized algorithm which computes simul- 
taneously for all control state q, a regular expression for Cn{q). This algorithm 
has a complexity of 0{K{\E\) • |Q| • | ^ |), where K{\E\) = 0(2l^l) is the 
complexity of subset operations over E . Hence, the various decision problems of 
Corollary Q are decidable with the same complexity. 

The reachability set of a Reactive Fiffo Automaton with a non empty initial 
fiffo queue is still recognizable and effectively computable |SutH7| . This result 
especially allows us to decide the Recurrent Reachability Problem for RFAs. 

The previous theorems are very useful when considering practical aspects: 
simulation and verification. Indeed, the compilation of an Electre program pro- 
duces a RFA (given by its associated Control Automaton), which is used for 
simulation and verification purposes. This RFA leads to a C program, which is 
then compiled to produce an executable file. Clearly, the control states which 
are not reachable do not need to be included in the C program. This is also 
the case for the transitions of the Control Automaton which are not quasi-live 
(a transition t of a Control Automaton is quasi-live if there exists an execution 
containing t in the associated RFA). Fortunately, the Quasi- liveness Problem is 
decidable for RFAs. 

Proposition 1. The Quasi-liveness Problem is decidable for RFAs. 

Proof, li t = (q q') is a r-transition or if t is an emission transition of the 
Control Automaton C, then t is quasi-live if and only if 5 is a reachable control 
state of C, which is decidable. A reception transition q—^q' of C is quasi-live if 
and only if £n{q) C Eq*eE* ^ 0, which is decidable because a regular expression 
for £«((?) is computable. □ 
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5 Relationships between Reactive Fiffo Automata and 
Finite Automata 

In the previous section, we have precisely described the reachability set of a 
Reactive Fiffo Automaton. We now analyse the set of executions of a RFA, and 
we establish a comparison between RFAs and Finite Automata. We first study 
the general case of trace inclusion between a RFA and a Finite Automaton. We 
then analyse the model checking of LTL. 

5.1 Trace Inclusions 

One may believe that Reactive Fiffo Automata are essentially equivalent to Fi- 
nite Automata, because reception transitions are not blocking (as for each re- 
ception transition q — ^ q' of a Control Automaton, there exists a r-transition 
q q') and emission transitions can be repeated arbitrarily often. But the 
following undecidability results prove that this is not the case. 

We define the trace language of a RFA in the usual way : we introduce a new 
alphabet of actions A and every transition of a Control Automaton is labelled 
by an action a S A or by the empty word e. The set of finite (resp. infinite) 
traces T*{R) (resp. T‘^{R)) of a RFA R is the set of finite (resp. infinite) words 
on A corresponding to finite (resp. infinite) executions of R. 

It is clear that for every regular language L (resp. w-regular language L), 
there exists a RFA R such that T*{R) = L (resp. T‘^{R) = L). The following 
theorem shows that from a trace language point of view, inclusions between 
RFAs and Finite Automata are undecidable. 

Theorem 4. The four following problems are undecidable : 

i) Given a RFA R and a regular language L, is T*{R) CL? 
ii) Given a RFA R and a regular language L, is T*{R) A L ? 

Hi) Given a RFA R and an u-regular language L, is T‘^{R) CL? 
iv) Given a RFA R and an oj-regular language L, is T^{R) CL? 

As RFAs contain all Finite Automata, we obtain the following corollary. 

Corollary 2. The two following problems are undecidable : 

i) Given two RFAs R\ and R 2 , is T*{Ri) C T*(i? 2 ) ? 
ii) Given two RFAs R\ and R 2 , is T“(i?i) C T“(i? 2 ) ? 

5.2 Model Checking with LTL 

We prove, in this section, that the linear temporal logic LTL [MP921 lEmeQOj 
without the temporal operator next, which we denote by LTL\X, is decidable 
for Reactive Fiffo Automata. This result especially allows to check liveness and 
safety properties, and also to decide the Reccurent State Problem for RFAs. 
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Notation. For every transition system TS = (5, sq, A, — >), we write C^{TS) for 
the set of w-sequences of states corresponding to infinite executions of TS”: 

C^{TS) = {sqSi ■■ - Sn-- ■ / Vi e N, Sj ^ Si+i} 

In the following, we consider a finite set AP of atomic propositions on which 
are based LTL formulas. Unless specified, we assume that the atomic propositions 
label control states. Two w-sequences of states are equivalent modulo stuttering 
iff they display the same w-sequence of states when two repeated consecutive 
states are seen as one state only. 

Theorem 5 ( EaTSSl ). Two Lo-sequences of states equivalent modulo stutter- 
ing satisfy the same LTL\X formulas. 

We will now prove that a Control Automaton C and the Reactive Fiffo 
Automaton R associated with C satisfy the same LTL\X formulas. In this way. 
Model-checking of LTL\X is decidable for Reactive Fiffo Automata. In order 
to demonstrate this result, we introduce a Finite Automaton, Restr(C), built 
from C. We will actually show that C, R and Restr(C) satisfy the same LTL\X 
formulas. 

Definition 6 (Restricted Control Automaton). The Restricted Control 
Automaton Restr(C') associated with a Control Automaton C = {Q,qo, ({!,?} x 
E) U is the finite transition system Restr(C) = (S', sq, A, — de- 

fined as follows: 

• S = Q U Q, with Q = {q ! q & Q} a copy of Q, is the set of states, and, 

• So = <7o *s the initial state, and, 

• A = ({!} X A) U {t} is the set of actions, and, 

• the set of transitions ^Re,atr(c) is the smallest subset of S x A x S verifying 

for all q,^' G Q the two following properties: 

1. if q-^ q' then q -^Re=tr(c) <?', and, 

2. if q ^ q then we have q ^Re.tr(c) 9 and also q ^Re.tr(c) 9- 

We notice that, according to point 2. of Definition ^ each state of a Con- 
trol Automaton is the source of a transition. Furthermore, this property holds 
for Reactive Fiffo Automata and Restricted automata too. In this way, model 
checking of LTL is well-defined for these transitions system. 

In the following, in order to simplify the presentation, we identify states q 
and q of a Restricted Control Automaton. Moreover, if Q x E* is the set of 
states of a Reactive Fiffo Automaton, we will write projg for the projection 
on control states: projg is the morphism projg : {Q x U*)* ^ Q* defined by 
projg (9, u>) = q. 

The two following lemmas express close relations between Control Automata, 
Reactive Fiffo Automata and Restricted Control Automaton. 

Lemma 3 . Let R be the Reactive Fiffo Automaton associated with a Control 
Automaton C = {Q, qo, ({!,?} x A) U {r}, — >). We have: 

£“(Restr(C)) C projg(£“(R)) C £“(C) 
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Lemma 4. Let C = {Q, qo, ({!,?} x 17) U {r}, — >) be a Control Automaton. For 
every uj-sequence v S £“(C), there exists an uj-sequence v' G £“(Restr(C)) such 
that V and v' are equivalent modulo stuttering. 

We now present the main result of this section, which especially allow to 
check liveness and safety properties on RFAs. 

Theorem 6. Model-checking o/LTL\X is decidable for Reactive Fiffo Automata 
and is FSPACF- complete. 

Proof. Let ii be a RFA associated to a Control Automaton C = {Q, qo, ({!,?} x 
S) U {r}, — >). According to LemmaOl to LemmaEJand to TheoremEl we obtain 
that C, R and Restr(C) satisfy the same LTL\X formulas. Now, model-checking 
of LTL\X is PSPACE-complete for Finite Automata [!S( ;bt)IJ . which concludes 
the proof. □ 

Corollary 3. The Reccurent Control State Problem is decidable for Reactive 
Fiffo Automata. 

We finally show that the model-checking of LTL with atomic propositions 
on transitions is undecidable. Let us remark that this result is stronger than 
Teorem 0 Hi). 

Theorem 7. Model-checking o/LTL with atomic propositions on transitions is 
undecidable for Reactive Fiffo Automata. 

6 Conclusion 

In this work, we were interested in the verification of Reactive Fiffo Automata, 
an new class of infinite systems that models Electre programs. 

We have shown in this paper that Reactive Fiffo Automata have a recog- 
nizable reachability set and that it is effectively computable. This result allows 
to decide several problems involved in verification of RFAs, for instance the 
Reachability Problem, the Finite Reachability Set Problem and the Inclusion of 
Reachability Sets Problem. 

This work is a first step towards the assesment of response times of the system 
for taking into account memorized occurrences of events. This will be of a great 
significance for real-life systems. 

We have also analysed the relationships between Reactive Fiffo Automata 
and Finite Automata. We have proved that from a trace language point of view, 
inclusions between RFAs and Finite Automata are undecidable. But fortunately, 
we obtained that the linear temporal logic LTL without the temporal operator 
next (LTL\X) is decidable for Reactive Fiffo Automata. This result especially 
allows to check liveness and safety properties. 

The decidability of fragments of CTL has already been investigated in mm- 
The decidability of LTL (with atomic propositions on states) and the decidability 
of CTL remain open problems. 
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Abstract. This article presents experiences gained from the verifica- 
tion of communication properties of a large-scale real-world embedded 
system by means of formal methods. This industrial verification project 
was performed for a fault-tolerant system designed and implemented by 
Daimler-Benz Aerospace for the International Space Station ISS and fo- 
cused essentially on deadlock and livelock analysis. The approach is based 
on CSP specifications and the model-checking tool FDR. The tasks are 
split into manageable subtasks by applying abstraction techniques for 
restricting the specifications to the essential communication behavior, 
modularization according to the process structure, and a set of generic 
theories developed for the application. 



1 Introduction 

The acceptance of Formal Methods in industries essentially depends on their 
scalability, i.e. their applicability in large scale realistic industrial projects. An 
important aspect is the availability of suitable tools, but from our experience 
this is but one aspect. The diverse nature of system components and the tech- 
niques used in the different steps of the development process require the use 
of a combination of methods for the development as well as for the analysis of 
these components. In this paper we report experiences in using a combination 
of methods for the analysis of a large software system, namely the fault-tolerant 
data management system for the International Space Station (ISS) . It was nec- 
essary to use these methods in order to break down the respective tasks into 
manageable sub-tasks. 

The project started in 1995 when JP Software-Consulting in collaboration 
with the Bremen Institute for Safe System (BISS) were contracted by Daimler- 
Benz Aerospace (DASA) to perform an analysis of a fault-tolerant data manage- 
ment system for the ISS. Up to now various aspects of the system correctness 
have been investigated: 

— freedom of deadlock (see for example Buth et al. |3|), 

— freedom of livelock, 

— correct implementation of voting algorithms, 

— correct implementation of the Byzantine Agreement Protocol, 



A.M. Haeberer (Ed.): AMAST’98, LNCS 1548, pp. 124-^221 1998. 
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— performance properties depending on clock rates, 

— Hardware-In-The-Loop tests for the overall system. 

Different approaches were employed for these analysis tasks. These comprise 
abstraction of the occam code to CSP pprocesses and reasoning on these ab- 
stractions, Hoare-style program verification for sequential code, and the use of 
stochastic Petri nets for the throughput analysis. 

Whereas the results presented in Buth et.al. |3| relate to the deadlock anal- 
ysis, this article focuses on the techniques used for the livelock analysis. Rather 
than presenting in-depth theoretical results our goal is to describe how we over- 
came the essential problems of size and complexity of a realistic large-scale sys- 
tem by employing a combination of methods for the analysis. Due to the confi- 
dential nature of the material unfortunately it is not possible in this framework 
to make available details of the original code or our specifications (these are 
available only in the internal reports m)- 

In the following section a brief overview of the fault tolerant computer is 
given. Section 0 provides an overview of the methods used for the analysis. In 
Section 0 our experiences are described and put into relation to the deadlock 
analysis. The conclusion outlines future work, especially with respect to tool 
support for similar analysis projects. 

2 The Fault Management System 

The software to be analyzed is part of a fault tolerant computer to be used in 
the International Space Station (ISS) to control space station assembly, reboost 
operations for flight control, and data management for experiments carried out 
in the space station. 

The overall architecture consists of up to four communicating lanes, each 
providing services for the applications. Each of these lanes is structured into 
an application services layer (ASS), a fault management layer (FML), and the 
avionics interface (AVI). The ASS resides on the application layer board and 
contains table driven services for the application software and the operating 
system. The AVI is in charge of the MIL Bus protocol handling according to 
predefined timing slot allocations. These are defined in an input/output table. 
The function of the FML is twofold: First, it provides the interface between the 
ASS and AVI of one lane, transferring messages from AVI to ASS and vice versa. 
Second, it performs the data transfer between lanes thus allowing communication 
between the fault management layers of all lanes. This communication is the basis 
for error detection, error correction, lane isolation (in the case of an unrecoverable 
error), and lane reintegration. In each lane, the application layer plus ASS runs 
on a customized Matra board using a SPARC CPU. Both FML and AVI reside 
on separate transputer boards. The lanes communicate only at FML level using 
the transputer links. Each FML uses up to three links for communication with 
the other lanes, and one link (link 0) for communication with the AVI. Data 
transfer with the ASS is performed using a VME interface. See Figure 1 for the 
architecture of a full four-lane system. 
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MIL-BUS 

Fig. 1. FTC architecture 

3 Livelock Analysis with CSP 



The general idea for the analysis of communication properties of Occam programs 
as proposed here is to exploit the fact that occam channel communication can 
easily be modelled in CSP. For CSP a wide range of theories and suitable tools 
like theorem provers and model checkers are available. The original idea for the 
livelock analysis performed in this project is to use model checking and the tool 
FDR After manually abstracting the occam programs to CSP processes the 
systems turned out to be too large for a direct approach using FDR. Thus it is 
necessary to decompose the task and use other techniques for combining these 
results to obtain an overall result for the full system. Some of these techniques 
are tool supported, others currently are only performed unassisted. 

Compositionality theories allow to exploit general results from CSP theory 
to reduce the overall task of checking system properties to checks of proper- 
ties of components without additional justifications. Similarly the use of generic 
theories in this framework: by proving that CSP processes are refinements of in- 
stances of such generic theories certain properties can be derived for the concrete 
process which are used for the proof of livelock freedom. The additional obliga- 
tion, namely the proof that the original component is indeed a refinement of 
the instance of the generic theory, can be discharged using FDR. In cases where 
neither of these approaches is directly applicable it is necessary to further de- 
compose the system and use property oriented techniques as liveness induction 
or dependency analysis to combine the results. 

In high level concurrent programming languages, such as occam it is con- 
ventional for communication channels between two processes to be concealed 
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from the environment. This can potentially cause a form of divergence known as 
livelock 

The objective of our analysis is to investigate occurrence of internal diver- 
gence only. A CSP (or Occam) system X is called livelock free with respect to 
interface channels ci, C 2 , . . . , c„,, if the system will never engage in an unbounded 
sequence of (internal) communications without interleaved (visible) communica- 
tions on the interface Ci, C 2 , . . . , c„. This property is as important as the absence 
of deadlocks since it ensure the interaction of the system with its environment. 

For real-time applications, periodic internal events such as time-scheduled 
interrupts cannot cause divergence as long as their period is long enough to 
allow for other activities in between. These events may cause cycles of internal 
communications which are intended and not to be considered as livelock, because 
their occurrence is guarded by time intervals where other communication events 
are possible. To reflect this properly in an untimed CSP model, we regard these 
channels as part of the interface for the purpose of livelock analysis. 

The verification of livelock freedom of AVI and FML is discussed in this docu- 
ment. We wish to justify that they are livelock free with respect to their respec- 
tive external interfaces. In the following we are going to present the techniques 
applied for this purpose. The first subsections describe methods used for both 
AVI and FML, whereas Subsection lit. 41 a, nd Subsection |^| refer to different tech- 
niques used in FML and AVI respectively for deriving results for larger sets of 
processes that can not be obtained using model-checking. 

3.1 Abstract Interpretation 

For the analysis of livelock freedom it is unnecessary to inspect every detail of 
the Occam code, since only a subset of the programmed statements influences the 
communication behavior. It is therefore possible to generate a CSP specification 
which represents an abstract version of the original occam process P showing 
only the amount of detail which is relevant for communication behavior. Such 
a CSP specification A{P) is called a livelock-valid abstract interpretation of the 
corresponding occam process P, if 

Whenever P runs into a livelock situation this implies that A{P) may 
run into a livelock situation, too. 

If a livelock-valid abstract interpretation A{P) is available, we can analyse 
A{P) instead of P: If A{P) is free of livelocks, the same must hold for P. 

The basic approach to construct valid abstract interpretations uses four steps 
in the translation from occam to CSP: 

1. Every sequential algorithm whose results do not influence communication 
behavior is deleted. 

2. Each Occam channel protocol is reduced to a simpler one such that its values 
influence the communication behavior in a different way. 

3. Every occam IF-construct IF condition THEN P ELSE Q may be replaced 
by the internal choice operator of CSP yielding P n Q. 
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4. If valid abstract interpretations A{P),A{Q) for two processes P and Q are 
available and these interpretations use the same protocol on their communi- 
cation interface I, then A{P) II A{Q) is a valid abstract interpretation of P 

and Q operating in parallel. Using this fact, larger abstract interpretations 
can be built from existing ones. 

If a livelock-valid abstraction of an Occam process is not livelock free, two 
cases are possible: Either the occam process contains a livelock or we have intro- 
duced too high a degree of nondeterminism in its CSP abstraction, for example, 
through using the first three techniques. Since we intuitively assume that the 
Occam process should turn out to be livelock free, we try to find another valid 
abstraction which is more deterministic than the one we have constructed. The 
correctness of the abstraction methods can be shown by induction on occam pro- 
cesses. A more detailed description of our abstraction methods is given in 0. 

3.2 Mo del- Checking and Refinement Properties 

The specification language CSP (Communicating Sequential Processes) is associ- 
ated with a formal method allowing to verify properties of parallel systems. (See 
Hoare CH and the recent book by Roscoe HH for more details). CSP processes 
proceed by engaging in communications. Processes may be composed by opera- 
tors which require synchronization on some communications. This, rather than 
assignments to shared state variables, is the fundamental means of interaction 
between agents. The theory of CSP has classically been based on mathemati- 
cal models remote from the language itself. These models have been based on 
observable behaviors of processes such as traces, failures and divergiences. The 
semantic of a CSP process can be given in three models: 

— In the trace model a process is represented by the set of finite sequences of 
communications it can perform. 

— In the failures model a process is represented by its set of traces as above and 
also by its failures - a set of communications it can refuse after a sequence 
of communications. 

— The failures-divergence model extends the failures model with the divergences 
of a process - the traces during or after which the process can perform an 
infinite sequence of consecutive internal actions. 

Every CSP specification consisting of finite-state processes with finite- value 
channels can be translated into a finite transition graph representation. This 
graph contains all the semantic information of the original CSP specification. As 
a consequence, every property of the specification - as, for example, livelock free- 
dom - can be verified by exhaustive analysis of the transition graph. Moreover, 
such an analysis can be mechanised. The FDR tool provides this mechanisation 
and has been used for all model checking results about the abstract interpreta- 
tions described in this document. 

Two CSP processes P\ and P 2 can be compared in the failures-divergence 
model with regard to the following property: 
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P2 can perform only communications Pi may also perform, but P2 refuses 
less and diverges less than Pi. 

If this is the case, P2 is called a failures-divergence refinement of Pi. This is 
denoted by Pi Qfd P2- Failures-divergence refinement preserves deadlock free- 
dom and livelock freedom and restrictions on possible communication sequences. 
If Pi is free of livelocks and observes a safety condition about communication se- 
quences, then every process refining Pi in the failures-divergence model has these 
properties, too. If Pi and P2 are finite-state CSP specifications the refinement 
relation Pi Qfd P2 can be verified by model checking. 

A typical application of this refinement relation in our context is the fact 
that 

given a valid abstract interpretation A{P) of P and a process Q such 
that Q Qfd A{P), then Q is also a valid abstract interpretation of P. 

The second refinement relation applied to prove livelock freedom is trace 
refinement. 

Process P2 is a trace refinement of Pi ( denoted by Pi Qt P2 ), if every 
trace of communications that P2 may perform is also a trace of Pi . 

Failures-divergence refinement implies trace refinement, but for certain sit- 
uations it is easier to deal with the latter, because the investigation of trace 
refinement properties does not require the analysis of refusal sets which is neces- 
sary for failures-divergence refinement checking. Formally speaking, the livelock 
freedom of a process X with internal communications L and external commu- 
nications C means that there exists a bounding function f : Nq No, such 
that 



ff{s\L)<f{#{s\C)) 

where ff{s \ L) is the number of local communications in s and the length of the 
trace s restricted to communications in C is denoted by ^(s fC). An equivalent 
way of expressing the property of livelock freedom is to say that X\L (treating 
L as internal channels of X) must not diverge. 

Our main application of trace refinement is given by the following theorem 
which obviously holds because the refining process only runs through traces 
which are possible for the abstract process as well: 

Theorem 1 . Let Pi be a process over alphabet {|ci, C2, . . . , c„|}UL with bounding 
function / : Nq ^ Nq such that every trace s of Pi satisfies 

ff{s\L) < /(#(s|'{|ci,C2,...,c„|})) 

Then f is also a bounding function for every trace of P2 which refines process 

Pi- 

□ 
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As a consequence of this theorem, we can apply the following verification 
strategy to prove that a process P 2 is free of livelocks: 

— Construct a “simple” process P\ for which the existence of a bounding func- 
tion is obvious. 

— Verify by model checking that Pi Ct P 2 holds. This implies livelock freedom 
of P 2 - 

In general it is helpful to take simple processes from generic theories with 
known properties as the goal of this further abstraction. Examples for such 
generic theories are pipes and buffers, or the more specialized processes 
MUXOUT below. 

We are going to take the process Input Distributor, which is one of the mod- 
ules of FML, as an example to show the application of Theorem [□ The structurcEl 
of Input Distributor is given by Figure 0 




(3) To_N_FIFO 

Fig. 2. Input Distributor 



At first we give a general CSP specification 
MUXOUT{max, max, IN, OUT) 

^ For presenting graphs of processes and their communication we use data flow dia- 
grams as used in the original FTC documentation. See for example De Marco 0 for 
a detailed description. 
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of processes which will always be ready for inputs on channels IN after at most 
max outputs on channels OUT. 

MUXOUT{n, max, IN, OUT) = 
if (n == 0) 

then MUXIN{max,IN, OUT) 
else {MUXIN{max,IN, OUT) 
n 

( n J/: OUT* {y MUXOUT{n - l,max,IN, OUT)))) 

MUXIN{max,IN, OUT) = 

n x'.IN* (x — > MUXOUT{max,max, IN, OUT)) 

A bounding function of the CSP specification MUXOUT(max, max, IN, OUT) 
is f{x) = max * x. Now we can use the FDR tool for verifying the following re- 
finement relation: 

MUXOUT{A,4,IN,OUT)\\\CHAOS{M) Cy A{Input Distributor) 

where 

IN = I^ToInDist^ 

OUT = I\To^SJ'IFO,ToJT_FIFO,To.QCSJ'IFO, 

To.CS.FIFO, To.OutDist.FIFO\f 
M = t^Error.Messages.Q,LinkInError^ 

CHAOS{A)= n a: A. (a ^ CHAOS{A)) n STOP 

and M is the set of those channels the communication behavior of which is 
irrelevant {CHAOS{M)). Process STOP refuse to do anything. So, the outputs 
on channels To.SSJ'IEO, T 0 .N.EIEO, T 0 .QCS.FIFO, T 0 .CS.EIEO and 
To.OutDist.FIFO are bounded by the inputs on channels ToInDist[0..6]. 

3.3 Compositionality and Generic Theories 

A real-world system such as FML usually consists of a number of processes which 
communicate and each of them may be comprised of several subprocesses. An 
example from FML for such a process is the process Input Distributor. How to 
compose the analysis results for each of these subprocesses and processes for the 
livelock verification of the overall system is the most difficult activity during the 
livelock analysis. In the following we will present some of the techniques and 
theoretical results we applied. 

The first result follows from the simple theory of non-divergent pipes de- 
scribed in m p. 156]: 

Theorem 2. Suppose CSP process P is structured as 
P={X \\ B II Y) 

LEFT RIGHT 

where X is inputting from a set of channels IN and placing data on channels 
LEFT into a buffer B and Y is inputting from B on RIGHT and outputting on 
channels OUT without feedback to IN. Then, if 
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1. the buffer B has hounded capacity, 

2. the number of buffer inputs on LEFT is hounded by the number of X -inputs 
on IN, 

3. the buffer outputs on RIGHT are destructiue (that is, each entry is removed 
from the buffer by reading it on a RIGHT- channel), 

the number of B- outputs on RIGHT is bounded by the number of X -inputs on 
IN. If in addition 

4-. the number of Y -outputs on OUT is hounded by the number of entries in the 
buffer, 

the number of Y -outputs on OUT is also hounded by the X -inputs on IN. 

□ 



Using the first result of the theorem we can show that the outputs on chan- 
nels InDist2Voter and InDist20utDist in the process Input Distributor are 
bounded by the inputs on channels ToInDist[0..6], since all buffers involved are 
bounded buffers. 

CSP provides several operators, such as parallel operator ( || ) and inter- 
leaving operator ( ||| ), which allow to construct new processes out of existing 
ones. A crucial property of CSP is the fact that refinement is preserved under 
compositions involving these operators: 

If Pi Upjj Qi for i : O.n and uj is an n-ary operator, 
thenu;(Po,...,P„) Ep’d uj(Qo, ■■■, Qn) holds. 

If livelock freedom of uj(Qo, . . ■ , Qn) can not be established because of the 
problem size, find simpler processes Po,...,Pn such that Pi C Qi for each 
i e {1, . . . , n} and uj{Po , . . . , P„) is livelock free. If this property can be estab- 
lished, compositionality combined with refinement imply the livelock freedom of 
w(Qo, . . • , Qn) as well. 

3.4 Liveness Induction 

Another result which we applied during the FML analysis was developed by 
Roscoe (detailed in |7|). It allows to derive livelock freedom of a collection of 
triple-disjoint communicating processes: 

Definition 1 (Triple-Disjoint Process System). A system of processes is 
called triple-disjoint, if no communication requires the participation of more than 
two processes. 

Theorem 3. Suppose V = (Pi, . . . , P„) is a triple-disjoint system of non-divergent 
processes such that for every Pi in V 

P^\{\J{a{P,)na{P,))) 

j<i 

is divergence-free. Then 
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(Pi II ... II Pn)\H where H = n a{Pj))) 

is also divergence-free. 

□ 

In the above theorem a{Pi) {1 < i < n) denotes the alphabet of Pi. Informally 
speaking, this theorem states that if no process Pi in the system can perform an 
infinite sequence of communications with Pj (for all j < i), then the system is 
livelock free with respect to its incoming and outgoing channels. 

Theorem^ is useful in many cases, but finding an order on the processes of a 
parallel system may be very ineffective. An FML lane consists of 8 processes which 
have a complicated communication behavior. Consequently, it is very difficult 
to arrange them in a proper order for applying the theorem. One could try a 
large number of combinations (in our application at worst 8!); there are 7 proof 
obligations for each combination. 

For this reason we have developed a new technique, liveness induction, which 
can be used to verify livelock freedom at the channel level. To verify that process 
P is livelock free with respect to channels of interface I, the induction is based 
on a set C of channels, inductively defined by 

1. The interface / is contained in C. 

2. If {|ci, . . . , c„|} is contained in C and there exist a channel d ^ I and a 
bounding function / : Nq ^ Nq , such that 

#(s I" {|d|}) < f{#{s \ {|ci, . . . , c„|})) then d is contained in C, too. 

3. No other channel is in C. 

Liveness induction is now applied according to the rules of the following theorem 
(see Peleska et.al. m): 

Theorem 4. Let Pi,...,P„ form a triple- disjoint system of concurrent pro- 
cesses, such that each Pi is livelock free with respect to its local interface li =df 
a{Pi) — Li, where Li is the set of its internal channels. Then (Pi || ... || P„) 

is non-divergent with respect to global interface L C ur=i ii> */ ^ =df u”=i li 
can be inductively constructed according to the rules given above. 

□ 

This theorem can be proved by induction on the number of processes involved 
based on the compositionality of bounding functions. If communications on chan- 
nel C2 is bounded by communications on ci with bounding function fi , and com- 
munications on C3 is bounded by communications on C2 with bounding function 
fy, then communications on C3 is bounded by communications on ci with /i o fy 
as a bounding function. 

Liveness induction was used for the proof of FML in the following way: After 
showing the livelock freedom of each top-level process of FML we treat all the 
processes except the process Link Interface as a single process, say REST. Let 
SYS = {REST,A{Link Interface)), it is a triple-disjoint system. The following 
assertion can be proved using FDR: 

A{Link Lnterface)\(a(A(Link Interface)) n a{REST)) is free of livelock 
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If we can show that REST is livelock free, then the whole system is livelock free, 
too, using Theorem 0 

The next verification target is to show the livelock freedom of REST, which 
is reached by liveness induction. At beginning, C contains all channels in the 
interface of REST, such as ToInDist[0..6], Then, all channels bounded by the 
channels in C are contained in C. For example, communications on channels 
InDist2Voter[0..i\ and InDist20utDist are bounded by the communications 
on ToInDist in Input Distributor (proved in t3.'JI) . so InDist2Voter[0..ii\ and 
InDist20utDist are contained in C, too. In this way, we have shown all channels 
involved in the communications of REST are containted in C. 

Note that liveness induction is a forward analysis for livelock freedom, and 
contrasts with the approach described in the next section. 



3.5 Dependency Analysis 

Whereas the software structure of FML allowed to use the repeated abstraction 
by using generic processes MUXOUTa,nd livelock induction, the complex com- 
munication behavior of AVI required a different approach. It turned out that 
there are three obstacles: 

— even some of the main processes are too complex to be verified using model- 
checking directly; 

— it is not possible to decompose the task into subtasks based on the composi- 
tional theory since the communication behavior turns out to be too complex; 

— for the same reason no further abstraction is possible. 

This combination prevents the applicability of liveness induction as presented in 
the previous section. As an alternative a special form of dependency analysis was 
used for investigating cycles in the communication graph of processes which could 
not be checked using FDR directly due to the size of the state space. This analysis 
is a backwards analysis that determines all possible chains of communication 
events that may lead to a specific communication. The analysis technique is 
derived from tree analysis techniques as the Fault Tree Analysis (for the use of 
Fault Tree Analysis in software applications see for example Lyu m ) 

Consider a set of processes Pi, ... ,Pn which have been proved to be free of 
livelock individually. Let SYS = P\ |j ... || be a net of these processes with 
internal synchronization communications C. The eommunieation graph of SYS 
displays the channels and the direction of communication between the processes 
Pi, i G {1, . . . , n}. If this graph for SYS contains cycles it is not necessarily the 
case that these cycles can actually occur. If this is the case for all cycles SYS is 
livelock free. For the analysis of AVI there are two reasons that a cycle can not 
actually occur: 

— the CSP processes involved do not produce traces that correspond to the 
cycle; this is for example the case if one of the communications does not 
depend on its predecessor in the cycle. 
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— the cycle is possible in the CSP process, but additional information derived 
from the occam code allow to exclude the occurrence of this situation. 

For the analysis of AVI most of the cycles could be invalidated due to the first 
cause. The approach is illustrated in the following using a small example from 

AVI. 



dev.data.output 




(1) c.stat, real.reset.01, real.reset.02 

(2) autosync.on, reset.autoframing 

(3) autoframing.intr.error, EOM.ctrl, start.timeout 

(4) reset.intr.handler, kill. pending. EOM.intr 

(5) int.request.err, spurious. intr, reset.timeout, eos.channel 

(6) EOM.intr.req, FTC.clock.intr.req.chan, kill.pending.ftc.clock.intr 

Fig. 3. BC communication graph 



The structure of module BC (broadcast unit) of AVI is presented in the 
communication graph of Figure 0 The individual processes Pi, i G {0, ... ,3} 
can easily be checked for livelock freedom using FDR, i.e. it is guaranteed that 
no non-terminating internal communications can occur within the Pi. Each of 
these processes is itself a system of several subprocesses, which are denoted 
Pii , . . . , Pint ■ In order to ensure that the whole BC module is free of livelock it 
suffices to prove that none of the cycles in the graph can actually occuiQ. 

Regard for example the cycle involving PO and PI. A livelock situation can 
only occur if output cmd directly depends on the events c_stat, real . reset . 01, 
or real.reset.02 and vice versa. But this is not the case as code inspection 
of the CSP abstraction shows: the output of cmd only depends on the exter- 
nal input to_dev. In order to prove this it is necessary to trace the preceding 
communications leading to the output through the internal subprocesses of PO. 

This type of analysis can be performed systematically for all cycles. In gen- 
eral it is only necessary to find one edge in a cycle that does not depend on its 

^ This does not guarantee a fair treatment of the inputs; such a property has to be 
proved using different means. 
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predecessors. This breaks a cycle and makes it uncritical with respect to live- 
lock. The analysis itself is documented using techniques gleaned from fault-tree 
analysis. For each relevant communication it is traced by which other commu- 
nications, resp. sequence of communications it can be triggered. The following 
notations are used: 



For channels chi, . . . chn and process P 

0 

chi< — cft -2 

denotes that in P an output chi is produced if beforehand an input on 
channel ch2 did occur. 

chi 

ch2 

chn 



0 

0 



means that an output on channel chi is only possible after any of the 
inputs chi, i G {2, . . . , n}. 



As an example the dependencies of event kill_pending_EOM_intr from PI 
to P2 are presented here: 



kill_pending_EOMJntr 

I P12 I 

< start.timeout.l 

I P31 I 

< ftc^lock.event 

I P22a I I I 

< fromJntr_handler OK 

I P12 I 

< start_timeout.2 

I P33 I 

< (P331oop after enabled) start_subframe_timer 



P31 I 

< ftc_clock_event 

I P22a I 

< fromJntr_handler 



OK 



Note that it is necessary to trace the communications through several sub- 
processes not only of process PI and P2 but also of process P3. Furthermore, it 
is essential that the dependency analysis is complete, i.e. that every sequence of 
communication leading to the event under consideration are investigated. This 
means that in the example above start_timeout . 1 and start_timeout . 2 are 
the inputs to process PI which can cause an output of kill_pending_EOM_intr. 

In the case of BC and other units of the AVI this kind of analysis was used to 
ensure that most of the cycles in the communication graphs do not occur and 
to identify critical cycle situations as well. For AVI all the latter situations could 
be excluded due to further reasoning based on the original code. 
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4 Livelock Analysis - Some Experiences 

Starting point for the livelock analysis for both AVI and FML were the abstrac- 
tions that had been used in the deadlock analysis (see Buth et.al. Pj). Due to the 
hierarchical architecture of both components the freedom of livelock for each of 
the main processes was tried to be established first. During this phase some ad- 
justments in the abstractions were necessary to eliminate non-determinism and 
formalize the new proof obligations. One example is the explicit introduction of 
timer processes in order to avoid divergence through timer dependent events. 
These did not pose any problems for the deadlock analysis. 

During this first step it became soon obvious that for the subprocesses of 
both FML and AVI it was not feasible to use model-checking directly, even in 
cases where it was possible for the deadlock analysis. On the one hand this is 
due to the changes in the abstraction which enlarge the state space, on the other 
hand the problem arises since the states themselves are larger. The reason for 
this is that livelock analysis uses the failure-divergence model of CSP, while the 
deadlock analysis could be performed within the failures model. The internal 
representation of the states has to contain the additional information about the 
divergence sets and thus is larger. In some cases it was thus not possible to 
derive even the results for the main processes of FML and AVI. Additionally 
it was necessary to find a suitable approach of combining the results from the 
livelock analysis of the main processes to obtain a result for the two units as a 
whole. 

In general two different approaches are possible in this situation: 

— further abstraction and exploitation of the theorems of preservation of the 
results under refinement, 

— further decomposition of components, separate analysis for each basic unit, 
and derivation of properties for the combined units. 

While the first proved to be a suitable way of dealing with the main processes 
of FML the complex communication behavior of AVI made it necessary to pursue 
the second approach. In both cases it was necessary to employ suitable means 
for combining the results for the overall unit. 

5 Conclusion 

The main obstacle for the analysis of livelock freedom or other properties of 
realistic industrial systems is their size and complexity. Without suitable ap- 
proaches for splitting the task into manageable subtasks the attempt of using 
formal methods and related tools in this area is futile. For our project it proved 
to be necessary to use a combination of techniques in order to decompose the 
goal appropriately. These techniques comprise 

— abstraction of occam code to CSP, 

— use of the compositional proof theory of CSP, 
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— abstraction to instances of processes from generic theories, 

— model checking (for sufficiently small subprocesses), 

— liveness induction 

— dependency analysis 

While there is tool support for model checking, namely the system FDR, 
the other techniques had to be applied manually. Future work will comprise the 
search and if necessary development of tools supporting these tasks. 

One useful tool would be one that interactively guides the abstraction pro- 
cess, not only for Occam programs but for other compatible languages as well. In 
order to gain more confidence in the abstraction process, it will be necessary to 
theoretically justify the preservance of specification properties by the abstraction 
steps. The idea is to classify abstractions with respect to livelock, deadlock, and 
general safety properties. This will allow to reach a basis for the other methods 
in a systematic and even tool supported way. 

Another aspect of abstraction is the use of generic theories. Here it will be 
necessary to look for more generic patterns and their specific properties. Some 
such patterns like buffer, systolic arrays, and multiplexer could be found in the 
software of our project, others will be found during other case studies. Again it 
will be useful to classify these theories with respect to their specific properties 
in order to develop heuristics for their application in the context of abstractions. 
Furthermore, it will be necessary to prove the properties for the generic theories 
in a formal way. We would like to employ tools like HOL, Isabelle, or PVS for 
this task. Some work in this direction can for example be found in Buth et al. 
0 - 

Additional abstraction methods for abstracting from irrelevant details can 
be used for certain verification obligations that are not covered by refinement 
relations. During the verification of the Byzantine Agreement Protocol imple- 
mentation we have developed several such abstraction methods. For example, 
data abstraction, which abstracts a process from concrete data information of 
communications, is proved to be useful for protocol verifications, where some 
of the properties of message distributions can be verified without the data in- 
formation of messages. For different applications different abstraction methods 
have been or will be developed, which together with compositional theories and 
generic theories will form a method framework for our future activities in this 
area. 

Tool support is also feasible for the dependency analysis. A rough idea is to 
use an approach with three phases: 

— in the first phase the graph is build from the abstraction, i.e. the CSP pro- 
cesses; 

— in the second phase all cycles are marked; 

— in the third phase the cycles are investigated with respect to the dependencies 

of their constituent edges. 

This kind of backwards cycle analysis could be complemented by a forward 
analysis for determining the bounds of the communication load of the cycles. 
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This could help or replace the livelock induction process. Tools for these tasks 

might be found with groups working with graph transformation systems or in 

the area of graph theory in general. 
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Abstract. Subsequently, we introduce a reasoning formalism which in 
particular allows to express that certain sets in a system of subsets of a 
given set are disjoint. The main purpose of considering such a family of 
subsets is to be able to investigate how knowledge grows as subsets shrink 
in the course of time. We actually introduce a trimodal logic, we have a 
system containing operators for knowledge and time, of which the latter 
corresponds to the effort of measurement and reminds of the nexttime 
operator of temporal logic; an operator separating sets is added then. So- 
called subset tree models appear as the relevant semantical structures. We 
present an axiomatization of the set of valid formulas encompassing the 
three operators and their interaction. Afterwards the completeness of the 
given axiomatization is proved. We also give arguments showing that the 
logic is decidable. 



1 Introduction 

In recent years a distinguished extension of propositional modal logic received 
some attention by people who are interested in the logical foundations of AI. 
The main concern of this logic is reasoning about knowledge. It was presented 
in the paper m for the first time and was studied in detail in j^j. We briefly 
descibe its basic ideas. 

The logical operators which are present in the formal system quantify over points 
in a set, X , and over sets in a system of subsets of A, O, respectively. Given a so- 
called subset frame S — (A, O), the elements of O can be interpreted as sets of 
knowledge states. The logical language describes the change of these sets, which 
is caused by certain knowledge gaining procedures like improving the precision 
of one’s measurement or, more generally, by spending computational effort. 

On the other hand, the ability to formalize certain aspects of topological reason- 
ing constitutes another held of application. In fact, the shrinking of a set within a 
system of sets reminds of that kind of approximation procedures which are mod- 
eled mathematically by topological means. So a part of topology is represented 
by the logic, and it can actually be determined what part (see |3j). Because of 
this relationship with topology the elements of O are called the opens; the logic 
is called topological modal logic conveniently. Quite recently certain systems of 
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topological modal logic have also been used to express properties of hybrid sys- 
tems formally |2| • 

As it was already indicated, the language contains a modal operator □ quan- 
tifying over sets. Actually, □ models descent in O (w.r.t. set inclusion). This 
reflects the fact that an increasing of the knowledge of an agent corresponds to 
a shrinking of the set of states she considers to be alternative. Thus reasoning 
about knowledge in this way leads to dealing with shrinking procedures as in 
topology. Consequently, □ comes out as an effort operator in both contexts. 

The structure of (O, C) may be very complicated in general. So the effect of □ 
is hardly to graspjj However, presupposing a functional interpretation of □, i.e., 
viewing □ as a nextstep operator, not just leads to a temporal interpretation of 
the subset space logic in a stronger sense, but forces {O, C) to be a subset tree in 
particular. A corresponding logical system of knowledge and (discrete) time was 
studied in mj. More special properties of the tree structure on the set of opens 
have been examined, too, including finite height j0| and binary ramification m- 
The results obtained so far concern completeness of a respective axiomatization 
of the set of valid formulas, decidability of this set, and the determination of the 
complexity of the satisfiability problem. 

It is very desirable to extend the framework indicated above in order to make the 
language more and more appropriate for the description of phenomena occurring 
in connection with the notion of knowledge or, in other words, for the specifica- 
tion of properties involving knowledge. Moreover, to capture different and more 
subtle aspects of topological reasoning formally is a challenging task as well. As 
to the first point of view, one would like to control, for instance, the decompo- 
sition of a set of knowledge states at a future time point by means of formulas. 
Concerning the second, one should be able to deal with topological separation 
adequately. To master complementation in topological modal logic is wanted, 
too, since it appears naturally in spaces where the opens are in fact clopen like 
the frequently used Cantor space of all infinite 0-1-sequences (equipped with 
the prefix topology) (see fTOjl. 

In the present paper we add a modal operator expressing separation to the modal 
logic of subset trees 0 Our aim is to give a complete axiomatization and a deci- 
sion procedure of the set of validities in this case. To this end some basic notions 
and facts from modal logic are required, which are contained in the first sections 
of P and 0, respectively; concerning the logic of knowledge, 0 is used as a 
standard reference book. 

The paper is organized as follows: In Section 2 we present the syntax and the 
semantics of the underlying logical language of separation, LS, which is based 
upon the above mentioned system of knowledge and time. Thus we define a tri- 
modal language containing a knowledge operator, K, a nextstep operator, Q), and 

^ Nevertheless, for some very interesting special classes of subset frames the corre- 
sponding modal logic could be determined. The reader should consult 0, 0 and 0 
to get to know these logics. 

^ The set-valued complementation operator is touched on in the concluding remarks. 
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a separation operator, S. Afterwards we introduce a logical system S which is 
aimed at producing every semantically valid formula of LS, in Section 3. In Sec- 
tion 4 we outline the proof of the completeness of the system S. However, only the 
matters of a corresponding model construction are given and no verifications^ 
Describing how to get decidability of our logic we proceed even more sketchy, 
in Section 5. The final section contains some concluding remarks. In particular, 
we discuss how complementation may be incorporated into the logic of subset 
spaces and how it may be related to separation. 

2 The Logical Language 

We introduce the syntax and semantics of a language, LS, in which, e.g., certain 
linear time properties of knowledge can be expressed and sets of knowledge states 
can be separated at future time points. 

Let PV be a recursively enumerable set of strings, called propositional variables 
(denoted by upper case Roman letters). Based on PV, the set P of LS'-formulas 
(denoted by lower case Greek letters) is defined by the following clauses: 

— PVU{T} C P- 

— a, f3 £ P ^a,Ka, Q)a, Sa, (a A /3) G P', 

— no other strings belong to P. 

We use common conventions denoting formulas and, especially, the following 
abbreviations: 

La for ^K~ia and Ta for ^S^a. 

As the nextstep operator turns out to be self-dual there need not be a corre- 
sponding abbreviation in case of Q- 

The semantical structures are triples (X, d, a) specified by the subsequent defi- 
nition. 

Definition 1. Let X be a non-empty set, and let d = be a sequence 

of equivalence relations on X such that every class of Ej is the union of some 
classes of Ej+i, for all j G IN. Then the pair P = (X,d) is called a subset tree 
frame. 

Let a mapping a : PV x X — > {0, 1} be given additionally. Then a is called a 
valuation, and the triple M. = {X, d, a) is called a subset tree model (based on 
P). 

The set of all equivalence classes w.r.t. the relations Ej (j G IN) is called the 
set of opens of P. Note that in every subset tree model the set of opens contained 
in any equivalence class of the relation Eq forms in fact a tree w.r.t. (reverse) set 
inclusion such that no two opens on the same level intersect. Thus, in particular, 
subset tree models are treelike in the sense of 0. Moreover, an open need not 

® More details as well as the missing proofs will be published in the full version of this 
paper. 
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nessecarily decompose into at least two proper subsets at the next step; so the 
desired separation property must vacuously be true in the unramified case. The 
precise meaning of the operator S is given in the subsequent definition. 

Let Uj denote the equivalence class of x w.r.t. the relation Ej. A pair x,Uj 
(designated without brackets) is called a neighbourhood situation of T . Using 
this notation we introduce the validity relation for LS'-formulas. 

Definition 2 (Semantics of hS). Let a subset tree model A4 = (X,d,a) and 
a neighbourhood situation x, Uj of A4 be given. Then we define 



x,Uf 


\=M 


A 


x,Uf 


\=M 


^ a 


x,Uf 


\=M 


a A P 


x,Uf 


\=M 


Ka 


x,Uf 


\=M 


Qa 


x,Uf 


\=M 


Sa 




cr{A, a;) = 1 

X, Uf a 

X, Uj \=M a o-nd x, Uf \=m 

y, Uj a for all y G Uf 

X, \=jn 

for all y eUf : if n LJ+i = 0, 
then y, C/J+i |=x a, 



for all A G PV and a,fi G P. 



In case x, Uf \=m oc is valid we say that a holds in A4 at the neighbourhood 
situation x,Uf; moreover, the formula a G P holds in Ai (denoted by \=m a), 
iff it holds in M. at every neighbourhood situation. If there is no ambiguity, 
we omit the index A4 subsequently. Note that the semantics of the operator 
K is the intended one in contexts where K is interpreted as knowledge since 
Uf = Uj if y G Uf. Furthermore, according to the definition of the validity of 
Sa the separation happens within the given open at the next time point. For 
convenience of the reader, we also mention the semantics of the dual T of S': 



X, Uj \=M T C( : 4=^ there is a y G Uf such that 

Uj+i n C/f+i = 0 and y, «■ 

This definition shows in particular that the dual operator of S is stronger than 
the compound operator “LQ”- 

Finishing this section we present a small example. Let 



A:={/|/:IN^{0,1}}, 



and let C/J be defined by 

c// :={gG X \ g{i) = f{i) for t = 0, 1, . . . , j} 

for all / G A and j G IN. The resulting subset tree frame C, which is important 
for many applications, is called the Cantor space (by abuse of notation; see the 
introductory section). Let A represent the proposition “the actual output is 1”. 
Then the formula SA holds at every neighbourhood situation /, Uj of C such 
that / satisfies f{j + 1) = 0 (in every model interpreting A properly). 
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3 The System S 



Subsequently we present lists of axioms and rules, respectively, which constitute 
a logical system S. Later on we show that the set of S-theorems coincides with 
the set of LS'-validities, i.e., a formula a G IF is S-derivable iff it holds in all 
subset tree models. 

We take the following schemes of formulas as axioms: 



(1) 


All T- 


-instances of propositional tautologies 


(2) 


K{a - 


0) ^ {Ka - 


^K(3) 


(3) 


Ka ^ 


• a 




(4) 


Ka ^ 


• KKa 




(5) 


La 


KLa 




(6) 


(A- 


QA) A (-A - 


>Q^A) 


(7) 


0(a - 


0) ^ (0« - 


-0/3) 


(8) 




^ ^Q a 




(9) 


QLa 


^ LQa 




(10) 


S{a — 


> /3) ^ {Sa 


S0) 


(11) 


Qa A 


T0 L{Ta A 


>0/3) 


(12) 


QKa 


A Sa ^ K Q 


a, 



for all A G PV and a,(3 & T. 

Adding rules, we get a logical system designated S. In fact, modus ponens as 
well as necessitation w.r.t. each modality are present: 



( 1 ) 



a, a 









(2) 



a 

~Ka 



(3) 



a 

Qa 



(4) 



a 

Sa 



for all a, /3 G IF. — For convenience, we comment on some of the axioms. The 
schemes (3), (4) and (5) represent the standard axioms of knowledge. They 
characterize reflexivity, transitivity, and the euclidean property, respectively, of 
the accessibility relation in Kripke frames, which are the common semantical 
domains of modal logic. The scheme (8) corresponds in this sense with func- 
tionality. (9) relates the nexttime operator to the dual of K, saying that Qa 
is possible at the actual neighbourhood situation whenever a is possible at the 
succeeding one. (The converse is not always true.) This axiom determines the 
interaction between knowledge and time. Schemes of this form are typical of 
the systems considered in topological modal logic. Axioms (2), (7) and (10) first 
of all have a proof-theoretical meaning. (11) and (12) relate to each other the 
way the three modal operators of our language work; note that (12) represents 
a certain reversal of the dual of (9). Finally, we should say a few words about 
the scheme (6). It has to be added because we want the valuation to be inde- 
pendent of the time component of a neighbourhood situation. This requirement 
simplifies the definition of the semantics, but it clearly implies that the system 
is not closed under substitution. 

Using the above definitions the soundness of the axioms and the rules w.r.t. the 
intended structures can easily be established. 
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Proposition 1. Axioms (1) to (12) hold in every subset tree model, and rules 
(1) to (4) preserve the validity of formulas. 

While soundness of the calculus is easy to see we need some preparations in 
order to prove also its completeness. To this end we use the canonical model A4 
of the system S extensively. The canonical model is formed in the usual way (0, 
§5); i.e., the accessibility relations on A4 induced by the modal operators K, Q 
and S are defined as follows: 



s 



{a € T \ Ka & s} C t 



s -^t : {a & J- \ Qa G s} Ct 

s — : 4=^ {a G T \ Sa G s} Ct, 



for all maximal S-consistent sets s,t from the carrier set of At (which we desig- 
nate C7)i Note that the distinguished valuation of the canonical model is defined 
by 

(j{A, s) = 1 : <;=^ Ag s {Ag PV, s G C). 



We are going to present some useful properties of the canonical model for which 
the special axioms of our system are responsible. First of all, however, we remind 
of the truth lemma. 



Lemma 1. Let us denote the usual satisfaction relation of multimodal logic by 
|=, and let h designate S-derivability. Then it holds that 

(a) for all a G IF and s G C 



At ^ a[s] iff a G s, and 



(b) for all a G T 



M\= a iff \- a. 



The results stated in parts (a) and (b) of the following proposition are well- 
known; as to (c) compare with El, Proposition 7. 



is an equivalence relation on the set C . 



Proposition 2. (a) The relation 

(b) The relation is a function on C. 

(c) Let s,t,u G C be given such that s t — ^ u. Then there exists a point 
v G C satisfying s -^v -^u. 



Part (a) is forced by axioms (3), (4), and (5), essentially, while axioms (8) 
and (9) imply the assertion of (b) and (c) respectively. 

The impact of the scheme (11) on the canonical model is described in the sub- 
sequent proposition (see also Figure 1). 

In the context of topological modal logic the notion of (maximal) S-consistency is 
the same as in ordinary modal logic. 
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u 




Fig. 1. A diagram illustrating Proposition 3 



TO 

Proposition 3. Let s,t,u G C be given such that s — >t and s — > u. Then 

there exists an element v G C satisfying s —^v, v -^^t and v -^u. 

Finally, axiom (12) has some effect on the interaction of the accessibility 
relations on the canonical model as well: 

Proposition 4. Let s,t,u G C be given such that s — ^ t u. Then there 
exists an element v G C satisfying s v u, or s — ^ u is valid. 

As a consequence we get that the relation — ^ o is the union of the 
O T T 

relations — > o — > and — *■ . This follows from the previous proposition, parts 
(b) and (c) of Proposition 2, and Proposition 3. 

Corollary 1. — >o — > = — >o — >U — >. 



4 Completeness 

In this section we sketch how completeness of the proposed logical system S 
can be obtained by constructing a subset tree model that falsifies a given non- 
derivable formula. The main idea is to use a HENKiN-like construction. Such 
a construction seems to be necessary because it is not clear how to obtain the 
separation property for sets directly on the canonical model.0 
Let a G T he non-S-derivable. Then there exists a maximal S-consistent set 
t G C containing -> a. Fix t and a distinguished point Xg from a sufficiently large 
set of points, V. We can construct a sequence of triples (Al„, Sn) inductively 
such that for every n G IN 

® The reader should note that step by step constructions are used also in other, more 
advanced parts of modal logic like the mosaic method (iia> Section 5.5.2). 
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— Xn is a finite set containing a;o; 

— dn '■ Xn X Dn — > Vo{Xn) is a partial function, where D„ is an initial segment 
of IN and Vo{Xn) is the set of non-empty subsets of on its domain, dn 
satisfies the condition of Definition 1 (required for d there); additionally, 
dn{xo,0) = Xn holds; 

— s„ : Xn X Dn — > C is a partial function such that Sn{x,m) is defined iff 
dn{x,m) is defined; moreover, for all x G Xn and m € the following 
assertions are valid: 

• for all y G Xn : if y G dn(x,m), then Sn(x,m) — >Sn{y,rn); 

• if TO + 1 G Dn and dn{x, to + 1) exists, then Sn{x, to) Sn{x, to + 1); 

• if TO + 1 G Dn, y G dn{x,m), and dn{x,m+ l),dn{y,m+ 1) exist such 
that dn{x,m + 1) f] dn{y,m + 1) = 0, then 

Sn{x,m) — >Sn{y,m+l) {y G Xn)-, 

• s„(xo,0) = t. 

The structures {Xn, dn, Sn) represent approximations to the desired model; es- 
pecially, dn turns out to be a finite sequence of equivalence relations. 

The construction ensures that for all n G IN it holds that 

Xn ^ Xn+1 and Dn C Dn-\-l, 

— dn+i{x,m) D dn{x,m) for all x G Xn,m G Dn, and 

— Sn+l |x„xD„= Sn- 

Furthermore, the following conditions are guaranteed: 

~ if L(3 G Sn(x, to), then there is some k > n and some y G dk{x, to) such that 
f3 G Sk{y,m)-, 

— if 0/3 G Sn(x, to), then (3 G Sk{x, m+ 1) for some fc > n; 

— if T/3 G Sn{x, to), then there are k > n and y G dk{x, to) such that 

dk{x, m -G 1), dk{y, to -I- 1) exist, dk{x, m + 1) fi dk{y , m + 1) = 0, 
and P G Sk{y, m+ 1). 

Now suppose that we have carried out the construction meeting these require- 
ments successfully. Let (X,d,s) be the limit of the structures (X„,(i„,s„), i.e., 

— X = U 

— d is defined as the prolongation of all of the mappings d„, and 

— s is given by s{x,m) := Sn{x,m) for the smallest number n such that 
Sn{x,m) is defined. 

Letting 

cr{A, a;) = 1 : 4=^ A G s(a:, 0) 

for all A G PV and x G X, the resulting structure is the one we are looking 
for, as will be seen below. We state the following easy consequences of the above 
conditions first. 
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Proposition 5. A4 := (X,d,a) is a subset tree model such that d{xQ,0) = X; 
in particular, d and s are total functions. Moreover, the following properties hold 
for all m €TN, X € X , and (3 S T: 

— {yy e X) [y € d{x,m) s{x,m) -^s{y,m)]; 

— Lj3 € s{x,m) (3y G d{x,m)) j3 G s{y,m); 

— s{x, m) s{x, m + 1); 

— 0/3 G P y s{x, m + 1); 

— for all y G X : 

y G d{x, m) A d{x, to + 1) n d{y, to + 1) = 0 s{x, to) — > s{y, to + 1); 

— ifTj3G s(x,m), then 

(3 y G d(x, to)) [d(a;, to + 1) n d(y, to+1) = 0A/3g s(y, to + 1)]; 

— s(xo,0) = t- 

Applying this proposition, the subsequent lemma can be proved by a struc- 
tural induction. Note that axiom scheme (6) has to be used in case of a propo- 
sitional variable. 

Lemma 2. Let A4 = {X, d, a) be the subset tree model just constructed, and 
let s be the function from above. Then for all [3 G T and every neighbourhood 
situation x, Uf of A4 we have that 

x,Uf |= 7 w j3 j3 G s{x,j). 

Since ~^a G t = s(a;o,0) and Uq° = X, we get the desired completeness 
theorem: 

Theorem 1. The nonS- derivable formula a is falsified in the subset tree model 
M. at the neighbourhood situation xq,X. 

What remains to be done in order to finish the proof of the theorem is to carry 
out the inductive definition of the triples (A„,d„,s„) such that the conditions 
stated before Proposition 5 are fulfilled. This makes up the main technical part 
of the proof, in which the properties of the accessibility relations on the canonical 
model proved in Section 3 come into play. 

The basic idea is to “realize” every “existential” formula L/3, Q)P, and T[3, 
respectively, which is contained in some already attached maximal S-consistent 
set Sn{x,m), in a future step of the construction. For this purpose we must 
carefully arrange the order of the construction steps. Actually, we have to choose 
enumerations of the sets 

{(A/3, X, to) G if X A„ X Dn \ s„{x,m) is defined and A/3 G Sn{x,m)}, 

1(0/3, a:, to) G if X Xn X Dn I Sn{x,m) is defined and Q) (3 G s„(x,to)}, 

and 

{(T/3, x,to) G if X Xn X Dn I Sn{x,m) is defined and A/3 G Sn(x,m)}, 
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respectively, in each step, too. Then the inductive definition of the model pro- 
ceeds along a “global” enumeration A, which “schedules” processing correctly 
to triples (L/3, x, m), (Ql3,x,m), and (T/3, x, m), such that all of the above sets 
are exhausted eventually; in particular, every triple (07) 2 ;, m) always precedes 
a triple (Tf3,x,m) w.r.t. the global enumeration. All this can be done in a way 
which is similar to that carried out in |^, Section 2.2. So we need not regard the 
enumerations any more in the following. 

We omit the simple start of the inductive definition of (A„,d„,s„) and treat 
only the case “T/3” of the induction step, in which, however, the case “ 00 ’ has 
to be considered as well. So let (A„, s„) be already defined and assume that 

Tf3 G Sn{x,m) is going to be realized in step n -|- 1. 

Now we choose y G Y \ A„, and we define Xn+i := A„ U {y}. According to 
the above mentioned property of the global enumeration we may assume that 
m + 1 G Dn- Therefore, we let Dn+i := Dn- Our next task is to define the 
mapping dn+i- It is given by the following conditions: 

{ dn{v, 1) U {y} if u G dn{v, 1) and I < m 
{y} \i V = y and ^ = to -I- 1 

dn{v,l) otherwise, 

for all V G Xn+i and I G -Dn+i- 

The definition of Sn+i is somewhat more complicated. First, there is an element 
t G C of the canonical model such that s„(x, to) — and (3 G t, as it is known 
from standard modal proof theory. Since there exists a formula 7 such that the 
triple (OT) 2 :, rn) has already been considered, we get 

Sn{x,m) -^u for some uGC 



because of some former construction step. Now Proposition 3 applies. Thus we 
obtain an element v G C satisfying 



Sn{x,m) — >v and 



O 



Finally, let uq, . . . , Um = u be points of C such that 



i ^ 11 00 

Sn{x,j) — >Vj as well as vq — >vi — > 



O 



is valid {j = 0, . . . , to); the existence of these elements is guaranteed by Propo- 
sition 2(c). Then we define s„+i by 

if zj^x,y 
if z = X and I < n 
if z = y and ^ = to -|- 1 
if z = y and I = j (j = 0 , . . . , to) 

The validity of almost all requirements on Xn+i, dn+i and s„+i, which are for- 
mulated at the beginning of this section, is easy to see now. We only concentrate 
on the subsequent one presently: 



Sn+l{zJ) : = 



s„{z,l) 
(2:, ^) 
t 



for all z G Xn+i and I G Dn+i- 
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Fig. 2. A single step in the model construction 



if TO + 1 G Dn+i, y G dn+i{x, to), and d„+i(a;, to + 1), dn+i{y, to + 1) exist 
such that dn+i{x, to + 1) n dn+i{y, to + 1) = 0, then 

(*) s„+i(a;,TO) — >s„+i(y,TO+ 1) (y G A„+i). 

At this stage of the construction Proposition 4 plays its part by which it is 
implied that condition (*) is in fact valid in case 

s„+i(a;,TO+ 1) -^s„+i(y,TO + 1) 

does never hold if dn+i{x, to + 1) n d„+i (y, to + 1) = 0. The latter is true due to 
the proceeding in the “0/d”-case, in which all elements w G dn{x,m) such that 
Sn{w,m) has a 0~sucessor being —^-equivalent to the 0“Sucessor of Sn{x,m) 
are collected in s„+i(a;, to + 1)0 Thus the above requirement is met. — Figure 
2 illustrates the step of the model construction just described. 

As it was already announced, further details are omitted in this draft; they will 
be included in the full version of this paper .0 

One of the main results of the given paper is obtained as an easy consequence 
of Proposition 1 and Theorem 1 now. 

® An easy consideration shows that nothing bad can happen in the “Lf3” -case then, 
too. 

^ See also |12|. 
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Corollary 2. The system S is sound and complete w.r.t. the class of subset tree 
models. 

5 Decidability 

The completeness proof outlined in the previous section does not give the finite 
model property of the system S. Now we introduce appropriate Kripke struc- 
tures w.r.t. which S is sound and complete as well and the finite model property 
is satisfied. This gives decidability of the logic. 

Definition 3. Let M := {W, {R, Q , P} , a) be a trimodal model (i.e., W is a 
non-empty set, R,Q and P are binary relations on W, and a is a valuation). 
Then A4 is called an LS-model, iff 

— R is an equivalence relation and 

— Q is a function on W; 

— the relation Ro Q equals the union of the relations Q o R and P; 

— for all s,t such that sQt it holds that 

M \= A[s] iff M ^ A[t] (AePV). 

Note that the relation R corresponds with the modality K; accordingly, Q 
and O well as P and S are related. We get the following theorem. 

Theorem 2. A formula a € iF is S-derivable, iff it holds in every LS-model. 

In order to prove the Jiuite model property one has to use a suitable filtration 
of the canonical model Ai of the system S. Due to the results in Section 3, Ai 
actually is an LS'-model, and the filtration can be arranged in a way such that 
this property is preserved essentially. 

Let a £ T he & formula for which we want to find a finite model. Then the 
filtration of the canonical model is carried out w.r.t. the set X of formulas which 
is defined as follows (s/(a) designates the set of subformulas of a): 

:= sf{a) U {^7 I 7 e s/(a)}; 

X'^ := X^ joined with the set of all finite conjunctions of distinct 
elements of X~'] 

X^ := {L/3 I /3 G 

X -.= x^ux^. 

The main purpose of the above definition is to guarantee that the crucial proper- 
ties of the relations — ^ , and — ^ are retained by passing to the filtrations. 
In fact, this can nearly be achieved if one takes the minimal filtrations of the 
respective accessibility relations. 

Lemma 3. Let C be the X -filtration of C , and let R,Q and P be the minimal 
filtration of — ^ , — > , and — ^ , respectively. Moreover, let a be induced by the 
distinguished valuation of the canonical model. Then, apart from the functionality 
of Q, A4 := (C, (R, Q, P}, a) is an LS-model. 




152 



Bernhard Heinemann 



The deficiency left over can be rectified by an unwinding procedure followed 
by an appropriate model surgery. The details of the corresponding constructions 
remind of the proceeding in usual linear time temporal logic; see 0, §9. 

To sum up, we can state: 

Theorem 3. The system S satisfies the finite model property w.r.t. the class of 
LS-models. 

As a corollary we obtain decidability of the logic, as desired. 

Corollary 3. The set of all S-derivable formulas is decidable. 

6 Concluding Remarks 

In several applications the set of opens O of the considered subset frame is 
closed under complementation, as it is the case for the Cantor space mentioned 
above, e.g. One would like to treat logically such a richer, hence more compli- 
cated structure of O as well. To this end we regard complementation as negation 
at a preliminary stage, i.e., we let an open and its complement be distinguish- 
able by a formula and its negation respectively. This allows us to retain the 
basic logical language from Section 2, leading to the following semantics of the 
complementation operator, which we designate C\ 

x,Uf \=Ca:^ yyGUf: 

y e y, C/J+i h and 

y y, C/J+i ^ a, 

for all neighbourhood situations x, Uf of the underlying subset tree model. Ac- 
tually, C is expressible in the former framework: 

Proposition 6. For all a € J-, the formulas Ca and aA(f)Ka are equivalent 
in every subset tree model. 

In this way we get a weak solution to the problem of integrating complemen- 
tation in the modal logic of subset spaces. A stronger version should provide an 
operator acting more directly on the given complement-closed system of sets. 
But we have to change the formalism then: either the monotonicity requirement 
which is expressed by axiom scheme (9) has to be given up, or the functionality 
of the modal operator quantifying over sets. Especially the first way goes beyond 
what is typical of topological modal logic, whereas for the second the logical lan- 
guage used presently is not fitting. In any case, further research should provide 
a proper integration of other set-valued operators into the modal logic of subset 
spaces. The treatment of complementation seems to be particularly interesting 
since there are connections with logics of different nature [Z| • 

Another topic is the question of efficiency of the logic given here. Since ramifi- 
cation occurs in LS'-models, the complexity of deciding the validity of a formula 
is presumably high. In fact, PSPACE-hardness of this problem can be shown 
utilizing methods due to Ladner m - 
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Concluding we summarize the issues of the given paper: An extension of the 

subset space logic of knowledge and time by a modal operator which separates 

sets has been obtained. An axiomatization of the set of formulas valid in every 

subset tree model was given and proved to be sound and semantically complete. 

Furthermore, decidability of the set of validities was shown. 
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Interpolation in Modal Logic* 



Maarten Marx 

Institute for Logic, Language and Information, University of Amsterdam, 

The Netherlands 



Abstract. The interpolation property and Robinson’s consistency prop- 
erty are important tools for applying logic to software engineering. We 
provide a uniform technique for proving the Interpolation Property, using 
the notion of bisimulation. For modal logics, this leads to simple, easy- 
to-check conditions on the logic which imply interpolation. We apply 
this result to fibering of modal logics and to modal logics of knowledge 
and belief. 

Keywords: Interpolation, modal logic (of knowledge and belief), fibering 



In 1957, W. Craig proved the interpolation theorem for first order logic. Since 
Craig’s paper interpolation has become one of the standard properties that one 
investigates when designing a logic, though it hasn’t received the status of a 
completeness or a decidability theorem. One of the main reasons why a logic 
should have interpolation is because of “modular theory building”. Assuming 
compactness, interpolation in modal logic is equivalent to the following property 
jMarx and Arecesl997] (which is the semantical version of Robinson’s consis- 
tency lemma) 

If two theories T \ , T 2 both have a model, and they don’t contradict 
each other on the common language (i.e., there is no formula 9 built 
up from atoms occurring both in Ti and in T 2 such that T\ 9 and 
T 2 \= ^9), then Ti U T 2 has a model. 

The property is not only intuitively valid for scientific reasoning, it also has 
practical (and computational) consequences. In practice it shows up in the in- 
cremental design, specification and development of software, and has received 
quite some attention in that community (cf., e.g., pyiaibaum and Sadlerl984l 
IRenardel de Lavalettel989j .l 

In the real world, we see this phenomenon with mergers of two companies 
(which might already have ties in the form of shared daughters or stocks). Often 
it is a highly non-trivial problem to merge their respective databases as well. 
Clearly Robinson’s consistency property can help here: if the logic behind the 
databases has the property, the two can be combined precisely when they don’t 
contradict each other on their common part. (This seems a necessary precondi- 
tion for the merger of the two companies as well. . . ) 

* The author is supported by the Institute of Logic, Language and Information, Am- 
sterdam, The Netherlands, and by UK EPSRC grant No. GR/K54946. 
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1 Interpolation in Modal Logic 

In this section, we deal with general modal logics and give a structural description 
of a large number of them with interpolation. This description is based on the 
notion of bisimulation. We start with the necessary definitions. 

1.1 Preliminaries 

Modal logic. A modal similarity type 5 is a pair (O, p) with O a set of logical 
connectives and p : O — > to a function assigning to each symbol in O a finite 
rank or arity. We call /^(Ks) a modal logic of type S = (0,p), if £ is a tuple 
(Fmis, Ks, II- 5 ) in which, 

— Fmls is the smallest set containing countably many propositional variables, 
and which is closed under the Boolean connectives and the connectives in O. 

— K 5 is a class of frames of the form (W, in which W is a non-empty 

set, and each is a subset of 

— IF 5 is the usual truth-relation from modal logic between models over frames 
in K, worlds and formulas. For the modal connectives it is defined as 

‘iJK,x\\- 0{tpi, . . . ,tppo) {3xi . . .Xpo) '■ R^xxi . . .Xpo & 

911, xi IF (/?!&... & 911, Xpo IF Ppo 

Logical consequence is defined globally, i.e., Th Hc(k) £ iff for every K model 
in which Th is true in every world, tp is also true in every world. If is a 
frame, we use F to denote its universe. For ^ a frame and x\ . . .Xn elements 
of its domain, RigX\, . . . ,Xn abbreviates ^ |= Rx\, . . . ,Xn- Let P be a set of 
propositional variables. We call a logic £(K) canonical, if, for every choice of P, 
the canonical frame of £(K) (cf., |Hughes and Creswelll98^ ) is a member of K. 

Interpolation. In the literature we find the following formulations of the in- 
terpolation property for compact logics (cf., e.g., Maksimova |lVIaksimovalf)f)l| . 
Rodenburg |Rodenburgl992| ) : 

AIP A logic C has the Arrow Interpolation Property (AIP) if, whenever \=c 
(p —> there exists a formula 6 such that \=c T 9 ^ ijj and 

E{9) c S{ip) n A(V'). 

TIP A logic £ has the Turnstile Interpolation Property (TIP) if, whenever ip |=£ 
ip, there exists a formula 0 such that ip \=c 9, 9 \=c 4> and S{9) C S{p) fl 
A(^). 

SIP A logic £ has the Splitting Interpolation Property (SIP) if, whenever Pq U 
A \=C '0, there exists a formula 9 such that Pq 9, Pi U {0} \=c ip and 
E{9) c A(Po) n (A(Pi) u r(i/>)). 

Remark 1. Recall that the local consequence relation is defined as follows: P 
p iff for every model 991, and every world w in 991 which satisfies P, p is also 
satisfied in w. If we use the local consequence relation in the definitions of SIP, 
AIP en TIP, the three notions of interpolation collapse into one, because we have 

P 1=^0'= ijj 1= 
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For canonical modal logics, the three forms of interpolation are related as 
follows. 



Proposition 1. Let >C(K) be a canonical modal logic. 

(i) //£(K) has AIP, then it has TIP. 

(ii) £(K) has TIP if and only if it has SIP. 

Proof. We use the facts that any canonical modal logic is compact both in the 
local and the global sense IMughes and Creswelll98j| , and that we can switch 
from the global to the local perspective by |= '0 iff \ n < oj} ip 

l |va,n tienthemlh^H] : Lemma 2.33). We prove the proposition for the uni-modal 
case. Clearly this extends to any modal similarity type. 

(i) Assume v? |= •0. This holds iff {□"(^ \ n <co} fi, iff (by compactness) 

1=^°'= tp for some m, where □’”*(/; = ipA □(/3 A ... A D'^ip. Iff -by the 

deduction theorem- \= ^ ^p. But then, by AIP, there is an interpolant 9 

such that ^ ^ 9 and 9 ^ ft. Whence ifi\= 9 and 9 \= ip. 

(ii) The direction from SIP to TIP is trivial. For the other direction, assume 

To U A \= Ip. As above we obtain, A ip, where Pq \= (po and 

Pi 1= Lpi. Then by the deduction theorem, |=*°“ ip. Whence, 

H > Ip. By TIP, we find an interpolant 9 such that H ^ 

and 9 \= ip. Whence, \= 9 and <pi,9 |= ip, so also Po 9 and 

ri,9 1 = Ip. 



SIP and modularization. There is a vast amount of literature relating SIP to 
applications in computer science, in particular to the notions of modularization 
and specification. The importance of modularization for stepwise refinement of 
formal specifications has been noted by several researchers Pergstra et al.l9^ , 
lEhrig and Mahrl985|, pdaibaum et a,1.1984j, j Andreka et al.l994j. [B enardel de 
Lavalette. 1989] . In jMaibaiim and Sadlerl984j it is shown that a logic “supports 
specification” (in their terminology: the consequence relation preserves conser- 
vative extensions under implementation) if and only if it has SIP. [Renardel de 
Lavalette, 1989] contains a similar equivalence theorem. 



Bisimulation. Let Fml be a modal language of type S = {O, p), and let 9Jl=(3', Vi) 
and 9I=(0, V 2 ) be two models of that type. We say that and 91 are (Fml, S)- 
bisimular (notation: ^ 5 "’' 91) if there exists a relation B C F x G such that, 

for every propositional variable p in Fml and every pair (x,y) G B it holds that 
X G Vi(p) y G V2(p), and for every O G O, 

— if R’^xqXi . . .Xpo and xoByo, then there exists yi,. . . ,ypO G G such that 
R^yoVi ■ • ■ VpO and XiByi (forward condition), 

— similarly in the other direction (backward condition). 
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The relation B is called an (Fml, S) -bisimulation. If the domain of B equals F, 
and its range equals G, we call B a zigzag-connection. A function / : F — > G 

f 

is called an (Fml, S)-zigzagmorphism from Tl onto 01 (notation ^ 01), if / 
is surjective and / is a (Fml, 5)-bisimulation. Note that the forward condition 
then states that / is a homomorphism. The same definition of bisimulation 
applies to frames, just forget the clause about the valuations. The important 
point about bisimulations is that worlds which stand in the bisimulation relation 
verify the same Fmhformulas. Whenever Fml and S are clear from the context, 
we drop them as a prefix. |de Rijkel993| : Chapter 6 contains a thoruogh study 
of bisimulations in modal logic. 

Bisimulation-products. Let 5 and 0 be two type- S' frames, and let B C FxG 
be an S-zigzag-connection. The fram^ ((J x 0) ( B is called the bisimulation- 
product of 5 and 0. 

Proposition 2. Every bisimulation-product is a subdirect product, and the pro- 
jection functions ttq and tti are zigzagmorphisms 

Proof. The product is subdirect because the bisimulation is a zigzag-connection. 
Hence the projections are surjective homomorphisms. To show the backward 
condition, we reason as follows. Let Sj he a, bisimulation-product of 3^ and 0. 
(We prove the statement for a binary relation and for ttq only; all other cases are 
similar.) Suppose R^TTo{x)y. Because 3 and 0 are bisimular and TTo{x)BTri{x), 
we find a y' such that Rig'Ki{x)y' and yBy'. But then, (y, y') G FI and Rf,x{y, y'), 
which is what was needed. 

Remark 2. A notion which is sometimes easier to work with is that of zigzag- 
products (cf., LVlarxlDT?^ !. A frame .Q is a zigzag-product of two frames 3 and 0, 
if io is a subdirect product of 3 and 0, and the projections are zigzagmorphisms. 
By the last proposition, every bisimulation-product is a zigzag-product. The 
other side also holds: if .Q is a zigzag-product of 3 and 0, then 7L is a zigzag- 
connection, whence ij is a bisimulation-product. (The easy proof is left to the 
reader.) This equivalence shows that zigzag-products form an elegant way of 
describing all zigzag-connections between two frames. 

1.2 Interpolation via Bisimulation 

Theorem 1. Let £(K) be a canonical modal logic. IfK is closed under bisimula- 
tion-products, then C{K) enjoys all types of interpolation. 



Corollary 1. Let C(K) be a canonical modal logic. LfK is defined by a universal 
Horn theory, then >C(K) enjoys all types of interpolation. 

^ For B G F X G, (3x0) (s denotes the substructure with universe B of the direct 
product of the structures 3 and 0. Such a substructure of a direct product is called 
subdirect if the projections are surjective. 
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Proof. By theorem EJ since every bisimulation-product is a subdirect product, 
and universal Horn sentences are preserved under the last. 

Proof of Theorem ^ Let /1(K) be a canonical modal logic of an arbitrary 
type S. Assume that K is closed under bisimulation-products. By proposition^ 
it is sufficient to show that the logic has AIP. We reason by contraposition. 
Let be arbitrary £(K) formulas. Suppose that there is no T(K) formula 
which is an interpolant for tp ^ f). We have to show that p A ->'0 is satisfiable. 
Let Fml(^,Fml .0 and Fml^^y, be the £(K) languages generated by the proposi- 
tional variables in p, the ones in ip, and the common variables, respectively. Let 

be the canonical models (c£, Hughes-Creswell 
IHughes and Creswelll984j ) of the languages Fml,^ and Fml,^, respectively. 

def 

Claim, (i) B = {(w,i;) e : Fml^,/, Ciw = Fml^,^ n ?;} is an (Fml,^,/,, 5)- 

zigzag-connection between Tlcp and . 

(ii) There exists a (w,v) G B such that IF <p and Tl,p,v II — 'ip. 

Proof of Claim, (i). The domain of B equals T0, because, for every w G T0, 
the set n w is Fm I,/, -consistent, whence can be extended to a maximal 

consistent set v G T0. So (w,v) G B. The argument for range and F,/, is sym- 
metric. The condition about valuations is satisfied by definition. We show the 
forward condition, the backward condition is shown similarly. For notational 
convenience, we deal with a binary relation. Suppose xy and xBx' . By defi- 
nition of canonical model, xy ^4=^ (V0 G y) : OO G x. Hence, using xBx' , we 
have (V0 G fl y)) : 09 G x' . But then, by general modal-logical consider- 

attions, (Fml^,/, n y) can be extended to an element y' G F.^ such that R^^x'y'. 
Clearly yBy' . 

To prove (ii), create the set {9 G Fml^,^ : \=ip — > 0} U {^9 G Fml,^,/, : \=9 ip}. 
Since we assumed there is no interpolant for ip and ip, we have ^ > T 

and T ^ Ip, hence the two sets are satisfiable. Suppose to the contrary 
that the union is not satisfiable. Then we have some 0i,6*2 G Fmli^y, such that 
1= 6*1 A ^ 6*2 — > T, 1= ^ 6*1 and ^ 6*2 — > 0. But then 6*1 is an interpolant, which 

contradicts the assumption. So the union is satisfiable, and we can extend it to a 
maximal set u in Fml,^,/,. Clearly also uU {p} and uU {^ip} are satisfiable, so we 
can extend these two sets to w £ and v £ F.^. By the definitions, {w, v) £ B 
and Wtip,w IF p and ^.,p,v II — <ip. ◄ 

Define the frame 5* = {dip dtp) (bj the valuation v* for the union of the two 
languages as (w,v) G v*(p) w G v^(p) or v G 'Jip{p), and let 3Jl* = (d*,v*). 

V* is well-defined, because for (w,v) G B and p in the common language, w G 
v^(p) iff ti G yp){p). By canonic! ty, dip and dip are in K. (5* is a bisimulation- 
product of these two, whence, by assumption, d* G K- By (ii) of the claim, 
there exists worlds w and v such that wBv, Dyi^,w IF p and II — >ip. By 

proposition El and the definition of v*, the projections ttq and tti are (Fml;^, 5)-, 
and (Fml,^, 5')-zigzagmorphisms respectively. This gives us Tl*, (w,v) IF p A -iip. 
Because (J* G K, this means that p A -iip is satisfiable in the logic T(K). QED 
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Remark 3. | |Nemeti1 985| uses a construction similar to bisimulation-products, 
in order to show that the algebraic counterpart of weakened first-order logic has 
the strong amalgamation property. [Ma.rxl 9^ contains an overview of the con- 
nections between interpolation properties of logics and amalgamation properties 
of their algebraic counterparts. 



2 Interpolation in Fibered Modal Logic 

fva.n Bentheml99^ defines the following strenghtening of the interpolation prop- 
erty. A logic C has the strong AIP if, whenever \=c ^ 4’^ there exists a formula 

9 such that \=c f 9, \=c 9^4 and S{9) C S{ip) n S{4) and all modalities 
occuring in 9 occur both in ip and in 4- 

Strong interpolation only makes sense in multi-modal logics. The following 
example shows that it is really stronger than AIP. Let C be the modal logic of 
two unary modalities Oi and O 2 with the only condition on the frames that 
'ixy{R^^xy R^^xy). It is easy to see that £ is a canonical modal logic which 
can be axiomatized by the AT-axioms plus <>ip <> 2 p. By Corollary P £ has 
AIP. But strong AIP fails as is easy to see using the £- valid formula OiT ^ O 2 T. 

So axioms stating an interaction between the modalities can destroy strong 
AIP. The next theorem shows that without interaction axioms, strong AIP is 
fairly common. For multi-S5 the theorem is proved in [van tienthemUinH] . Here 
we use a different argument, which is the obvious adaptation of the proof of 
Theorem E 

Theorem 2 (van Benthem— Marx). Let £(K) be a canonical modal logic. If 
K is defined by a universal Horn theory without interaction axioms, then £(K) 
enjoys strong AIP. 

Proof. The argument is very similar to that of Theorem E Let £(K) be a modal 
logic of an arbitrary type S as in the Theorem. We reason by contraposition. Let 
ip, 4 be arbitrary £(K) formulas. Suppose that there is no £(K) formula which is 
a strong interpolant for p ^ 4- We have to show that p A ~^4 is satisfiable. Let 
Fml,^ and Fml,^ be the £(K) languages generated by the propositional variables in 
p, and the ones in 4i respectively. Let S' be the type of the modalities occuring 
in p and 4- denotes the S' language generated from the variables occuring 

in both p and 4- We use the same (notation for the) models as in the proof of 
Theorem n Because we only assumed there is no strong interpolant, we have to 
define a weaker zigzag-connection B: 

Claim, (i) B {(w,u) G F,^xF,i, : Fml^.,^ Cw = Fml^.,^ n i;} is an (Fml^,^, 5')- 
zigzag-connection between and fill,/, . 

(ii) There exists a {w,v) G B such that IF p and II — >4- 



◄ 



Proof of Claim. As before. 
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Now we define the common model = (5*,v*). 5* is defined as follows: 

— its domain is B, 

— for all modalities O in 5', {x\,x'i) . . . {xn, x'^) only if X\ . . .Xn and 

— for modalities O occurring in ip but not in {xi^x'^) . . . (Xn, x'„) only if 

R^^Xi . . . Xnt 

— for modalities O occurring in ijj but not in p, (xi, . . . (a;„, a;^) only if 

and 

— for all other modalities O, = 0. 

V* is defined as before: (x,x') G v*(p) iff a; G Vip(p) or x' G v^(p). 

It is easy to see that the projections ttq and tti are (Fml^, S^)-, and (Fml^, 
^^j-zigzagmorphisms respectively (here denotes the modal type of all modal- 
ities occuring in p and similar for S^). This gives us fUl*, {w,v) IF A by 
(ii) of the Claim. 

So we are done if 5* is a frame of the logic. 5* will satisfy the conditions for 
the common modalities for the same reason as before. Moreover, any universal 
Horn sentence concerning the non-common modalities is valid in SJl* if it is 
valid in the respective models. Conditions for modalities not occuring in p or ip 
are trivially satisfied. So, since there are no interaction axioms, we covered all 
conditions, whence 3^* G K. 

Multi-modal logics without interaction arise with combining logics using 
the dovetailing approach (cf. ICabbayforthcomingJ ) . E.g., by Theorem 2.10 in 
op. cit., it follows that 

Theorem 3 (Gabbay). Assume £(Ki), i G I, are all canonical modal logics 
of type Si with defined by a set of first-order conditions Si. Then Lf (the 
dovetailing of C{Ki)) is canonical, of type and the class of frames with 

which is complete is the class of all IJig/ Si-frames satisfying {J^^jSi. 

So Theorem 0 can be used to prove the strong AIP for dovetailed modal logics. 

3 Modal Logics for Knowledge and Belief 

Interpolation in the Standard System 

In this section, we apply theorem Q] to modal logics of knowledge and belief. 
In the literature of philosophical logic, systems for knowledge and belief were 
studied in the 1960’s fHintikkal9ti2] . In the 1980’s, these notions became one of 
the central themes in the field of AI plalpern and Moses 1985||, and are gaining 
their place in the field of computer science [Meyer et al.l99i] . It now seems 
conventional to take the system S5 for knowledge and weak S5 (or KD45) for 
belief (cf., [Halpern and Mosesl985| , jHintikkal962j . ||Meyer et al.l991| ). This 
logic has all types of interpolation by theorem [0 To be precise, the logic KB of 
knowledge and belief is a modal logic with two unary box-type modalities K (for 
knowledge) and B (for belief). It is usually presented axiomatically as follows: 
on top of the basic K axioms for K and B one assumes that. 
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— one does not believe false assertions (^B_L); 

— believers have positive (Btp ^ BBtp), as well as negative (^Btp ^ B^Bt/?) 
introspection; 

— knowledge should moreover also be veridical (Ktp ^ tp); 

— for interaction between the two notions, the following axioms are proposed 
in the literature: 

• knowledge implies belief (K:^ ^ and 

• “one is conscious of one’s beliefs” (B(/? ^ KB(/?). 

Theorem 4. Let KB* be a logic of knowledge and belief which is defined ax- 
iomatically by adding any subset of the above principles to the basic K derivation 
system for this type. Then KB* has all types of interpolation. 

Note that strong interpolation fails because of the axiom Kip — > B:p. 

Proof. All the principles are well-known Sahlqvist forms |jahiqvistl975| . Hence, 
such a logic is canonical and complete with respect to the class of frames defined 
by the Sahlqvist correspondents. By theorem 4.3 in [HoeklDl?!!) . all the prin- 
ciples, except ^B_L, correspond to universal Horn sentences. The formula ^B_L 
corresponds to \/x3yR° xy. All these sentences are preserved under bisimulation- 
products. So, by theorem n the logic has interpolation. 

Interpolation in Other Systems 

The logic KB is just one possibility; for some applications one might want to in- 
troduce appropriate modalities to handle e.g. multiple agents or common knowl- 
edge. |Hoekl9??n) presents a range of principles from which one can design its 
own logic of knowledge and belief. In this article, the following types of formulas 
are defined. Let X, Y, Z be arbitrary box-type epistemic operators. Then formu- 
las of the form: 

(o) Xif YZp are called positive introspection formulas 

(b) —iXip — > are called negative introspection formulas 

(c) XYip — > Zip are called positive extraspection formulas 

(d) X^Yp —>■ —iZp are called negative extraspection formulas 

(e) X(Y(/j — !■ p) are called trust formulas . 

We will show what these principles mean for the interpolation property. Theo- 
rem 4.3 in jHoekI 99^ implies that all these principles are canonical, and corre- 
spond to the following frame conditions: 

(a) Yxyz{B^ xy & R^yz ^ Ft^xz) 

(b) Yxyz{R^xy & R^xz R^yz) 

(c) Yxy{R^xy => 3z{R^xz k. R^ zy) 

(d) Yx3y(R^ xy & Yz{R^yz => R^xz)) 

(e) yxy{R^xy r'^ yy) 

(a), (b) and (e) are preserved under bisimulation-products, because they are uni- 
versal Horn. It is not difficult to show preservation of (d) as well. Theorem 5.6.6 
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in Hi rxl HHItI shows that the density principle (c) might result in the loss of 

V V 

even the weakest form of interpolation. But if or i?' is reflexive, (c) be- 
comes trivially true, thereby not endangering the interpolation property. 

So we can conclude that interpolation is often available in modal logics of 

knowledge and belief. 
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Abstract. A generic method for constructing categorical models of Lin- 
ear Logic is provided and instantiated to yield traditional models such 
as coherence spaces, hypercoherences, phase spaces, relations, etc. The 
generic construction is modular, as expected. Hence we discuss multi- 
plicative connectives, modalities and additive connectives in turn. Mod- 
elling the multiplicative connectives of Linear Logic is a generalisation 
of previous work, requiring a few non-standard concepts. More challeng- 
ing is the modelling of the modalities ‘!’ (and, respectively “?’), which 
is achieved in the surprisingly general setting of this construction by 
considering !-candidates and showing that they exist and constitute a 
modality, under appropriate conditions. 



1 Introduction 

This paper recasts some well-known models of Linear Logic into a more general 
framework, that allows us to explicate some of their similarities and differences. 
It is pleasing (and surprising) to find that coherence spaces (Girard’s original 
domain-theoretic model of Linear Logic), hypercoherences (Ehrhard’s categorical 
explanation of sequentiality), phase spaces and even (the category of) sets and 
relations Rel can all be seen as specific instances of our generic construction. 
This generic construction can cope both with the intuitionistic and the classical 
flavours of Linear Logic and it allows us to model fragments of Linear Logic, in 
a modular fashion, as one would expect to be able to. 

The motivation for this generic construction arose from comparing Chu’s 
construction !Bar79) with dialectica categories We wanted to discover 

how far could we get when modelling Linear Logic, simply by mapping into some 
(linear) algebraic structure, forgetting all about any built-in duality. However, 
this work can be understood independently from the original motivation. It gives 
an account of several well-known models of Linear Logic in a unified framework, 
making them all instances of our particular categorical construction. 

This paper is organised as follows. We first review coherence spaces and 
hypercoherences, our motivating examples. Then we describe our generic con- 
struction and show that the categories we obtain have a multiplicative structure. 
In the next section we describe the modality or exponential “!”, which is the hard 
part when modelling Linear Logic. Then we describe the additives and discuss 
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some other examples of models that can be seen as instances of our generic con- 
struction. This extended abstract provides all the definitions and a few hints, 
but full proofs can be found in the long version of the paper [dL*S98| . 

2 Motivating Examples 

We first present a different perspective on two well-known models of Linear 
Logic, namely coherence spaces and hypercoherences. 

Recall that a coherence space X is given by a set |X| (its ‘web’), and a 
reflexive binary relation O on |X|. We use ^ to denote the relation resulting 
from removing the diagonal from O. Viewing this model from a different angle, 
we encode this structure via a function ax from |V| x |V| to the three element 
ordered set 3 := 1 <^}, where {x,x') in |V| x |V| is mapped to 1 iff 

X = x' , and to ^ iff a; ^ x' . We hope overloading the symbol with two totally 
different meanings does not cause confusion. 

A morphism of coherence spaces is given by a relation i?: |A| — !-► |V| such 
that X R y, x' R y' and xC^x' imply yOyb In the representation of coherence 
spaces as maps from |A| x \X\ to 3, this is equivalent to the condition: 

{x,x') Rx R (y,y') implies ax{x,x') < ayiv^y')- 

The ordered set 3 can easily be seen to carry a symmetric monoidal closed 
structure. If one considers the operations • and [> as follows 



• 


^ 1 ^ 


t> 


^ 1 ^ 


1 


^ 1 


1 


^ 1 ^ 



then 3 is a symmetric monoidal closed poset, where • stands for tensor product 
and [> for linear implication. 

The tensor product A®V of two coherence spaces X and Y has as underlying 
set \X\ X |V| and its tensor product structure is defined by {x,y)C^{x' ,y') iff 
xC^x' and y'Z^y' ■ In terms of a function (|A| x |V|) x (|A| x |V|) — > 3, this 
amounts to a mapping sending {{x,y), {x',y')) to ax{x,x')9aY{y,y')- Similarly, 
the linear horn X^Y of X and Y, has |A| x |V| as its underlying set. In this case 
{x,y)Z^{x' ,y') iff (x^x' implies yZ^y') and {x^x' implies y^y'). Again, this 
can easily be expressed as a function (|A| x |V|) x (|A| x |V|) — > 3, namely the 
one sending the pair {{x,y), {x' ,y')) to ax{x,x') > ay {y,y') ■ Thus the tensor of 
coherence spaces is obtained using the tensor product of 3 and the linear horn 
of coherence spaces is similarly obtained from the linear horn in 3. We say that 
the symmetric monoidal closed structure on 3 induces that of the category of 
coherence spaces. 

Now consider a second example of a model of linear logic, namely that of 
hypercoherences [IRhr93j . A hypercoherence X is given by a set |A| (also called 
the ‘web’), and a subset r{X) of the set of finite non-empty subsets of \X\ 
containing all singletons. This can be encoded as a function ax-Rtn^lX] — > 3, 



166 



Valeria de Paiva and Andrea Schalk 



where denotes the (finite, non-empty) powerset functor: ax maps a finite 
subset a of |X I to 1 iff a is a singleton, and to ^ iff it is an element of r{X). 
Again, this representation does capture the tensor product and the linear horn 
of hypercoherences in terms of the same operations on 3 . 

Morphisms of hypercoherences also fit well into this representation. A mor- 
phism of hypercoherences is a relation R:\X\ — !-► |y| such that for every finite 
subset E of R, the following conditions are satisfied: 

(i) If TTiiE) G r{X) then 7T2(A) G E{Y). 

(ii) If tt 2 {E) is a singleton then tti{E) is a singleton. 

The finite powerset functor on the category of sets and relations Rel is defined 
on morphisms by a Vta^R b, where a G E{X), b G T(y), iff there is a (finite) 
subset E of R with tti{E) = a and tt 2 {E) = b. Then R being a morphism of 
hypercoherences is equivalent to the condition: 

a V(n^R b implies ax (a) < ar(b) 

These observations suggest a pattern. As objects of an unifying model we 
consider functions a: FA — > L, where F is a functor on the category of sets and 
relations, Rel, A is a set and L is a poset which, as a category, is a symmetric 
monoidal closed category (smcc). We write (A, a) for these objects and call a the 
structure on A. A morphism from (A, a) to {B, /3) is a relation R\ A — !-► B such 
that for a in FA, b in FB, a (FR) b implies a{a) < j3(h). These stipulations 
do define a general category. To obtain a tensor-product on this category, we 
need a natural transformation with components aA,B'- F{A x B) — > FA x FB, 
satisfying suitable properties to make A x B (with a natural structure map) 
the tensor product of {A, a) and {B,(3). Similarly, we obtain a linear function 
space, and we demonstrate that the other connectives of Linear Logic can also be 
handled in this setting. The construction sketched turns out to be flexible enough 
to model both Classical and Intuitionistic Linear Logic, depending on which 
conditions we choose to impose on the poset L. For a model of Full Intuitionistic 
Linear Logic we use what has been called a lineale in previous work [dP^ . 

3 The Basic Construction 

The category of sets and relations Rel was one of the very first models of Linear 
Logic, but Rel is a very collapsed model, as different logical connectives are 
modelled by the same categorical structure. Both products and co-products in 
Rel have the disjoint union as underlying set, whereas tensor and ‘par’ are both 
modelled via the cartesian product, which also serves as the set underlying the 
linear function space. Moreover the truthvalues 1 and T, the units for tensor 
and par coincide. Our aim is to build models for linear logic which suffer less 
collapse than the category Rel we start with. The ingredients we use are the 
following: An algebraic model L for the multiplicative-additive fragment of the 
logic we are aiming for, an endo- functor on Rel (satisfying certain properties 
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which we will state later) which allows for different flavours of the model and 
the categorical structure of Rel. Note that we do not require modalities in L. 

Since some of the arrows we will consider are functions whereas others are 
relations, it is advisable to have different notations for the two. We denote an 
arrow in Rel from A to B hy A — !-► B. Furthermore, given R\ A — !-► B we 
will use R°P to name the morphism B — [-► A defined by y x iS x Ry. This 
will not stop us from using the usual arrow symbol for relations which we know 
to be functions, even though we consider them as arrows in Rel. All symbols 
referring to categorical constructs such as x, +, ® and □ (the symbol we use 
for Girard’s ’par’ connective) are meant to be interpreted in terms of Rel rather 
than Sets. We view the structure on L to consist of morphisms in Rel, such as 
• \ L ® L — > L or [>: L—oL — > L (notice the use of plain arrows here). 

There are a number of ways of obtaining linear logic modalities on Rel. Basi- 
cally in addition to the constructs mentioned above we need a monoidal comonad 
such that all free co-algebras of this comonad are commutative comonoids, and 
morphisms between them have to respect the comonoid structure. However, in 
Rel, all morphisms can easily be ‘turned around’ (passing from R to R°^), which 
means that instead of comonads and comonoids we might as well consider mon- 
ads and monoids which are more familiar. In order to make Rel a linear category, 
take any monad whose Eilenberg-Moore algebras carry a commutative monoid 
structure. This could be, for example, the free commutative monoid, or the finite 
powerset monad. In order to obtain the desired comonad, just turn around all 
the morphisms. For our generic construction it is of no importance which way 
of modelling ! is chosen — they will all make the resulting category a linear one. 

3.1 Lp-sets 

We are now ready to introduce formally the category we are interested in. 

Definition 1. Let F be an endo-functor on Rel and let L he a closed poset. 
An Lp-set is a pair {A, a), where a is a function FA — > L. Given two Lp-sets 
{A, a) and {B,f3), we define a morphism of Lp-sets to be a relation R: A — !-► B 
such that X (FR) y implies a{x) < fi{y), for x G FA, y G FB. 

We denote a morphism using our symbol for relations, ie R: {A, a) — !-► {B, (3). 
Equivalently, we require a morphism to satisfy the inequality a < (3 o F R, rep- 
resented by the ‘weakly commuting’ diagrams drawn as follows: 




FB 



Here < is a pre-order defined on hom-sets with co-domain L as follows: For 
a,cd G Rel(FA, L) we say that a < a' iff for all x G FA, x a I and x a' I' 
implies I <l' . 




168 



Valeria de Paiva and Andrea Schalk 



We shall need a number of useful properties of this pre-order. These are 
stated in the following lemma which makes statements about the interaction of 
the order < and composition o, tensor and linear function space. 

Lemma 1. (i) Let R: B — !-► A and S,S':A — !-► L be relations. If S < S' 
then S o R < S' o R. 

(a) Let R, R': A — !-► L and S, S': B — !-► L. If R < R' and S < S' then • o 

(Hi) Let R, R'\ A — !-► L and S, S': L — !-► B. If R < R' and S°^ < S'°^ then 
t> o S—oR < [> o S'—oR'. 

(iv) Let a, (3: A — > L. Then a < (3 if and only if a is less than or equal to (3 in 
the pointwise order for functions. 

Identities in L^^-Sets are identity relations, and composition is also taken 
from Rel. It is not difficult to check that this defines a category which we 
call Lp-Sets. 

4 Multiplicative Structure 

We claim that the categories Lp-Sets are suitable for modelling the connectives 
of linear logic, and that in general they suffer less collapse than Rel. To define 
a symmetric monoidal closed structure on Lp-Sets we make use of the fact 
that both, Rel and L carry such a structure. Let <t be a natural transformation 
between the bifunctors _) and F_(g) F_ such that all its components are 

functions. Given this, we define a tensor-product on Lp-Sets. 

Definition 2. The tensor product of two Lp-sets {A, a) and {B,!3) has as its 
underlying set A® B and the structure is given by: 

F{A ® B) FA ® FB L®L — ^ L 

For morphisms, let the tensor product be the one from Rel. 

It is not difficult to prove that this defines a symmetric monoidal structure 
on LiT’-sets but the proof demonstrates the need for a natural transformation 
between bifunctors T'(_ G -) — > F_ G F_ with properties which are slightly non- 
standard. These correspond to four commuting diagrams, spelled out in the 
appendix. A functor F endowed with a natural transformation satisfying these 
commuting diagrams we call a comonoidal functor. A unit for this tensor product 
is given by (/, ti), where I = {*} and i-i is the composition of the (only) function 
FI — > I and the function e: / — > L that picks the identity 1 for • in L. 

Proposition 1. Let L be a closed poset, let F be an endo-functor on Rel, and 
let the natural transformations a: F{_^ _) — > F_^ F_ and uj: FI — > / make 
F a comonoidal functor, and assume that aj as well as all components of a are 
functions. Then the tensor product defined above makes Lp-Sets a symmetric 
monoidal category. 
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If we assume that there is a dinatural transformation t between the mixed 
variance functors and such that all components of it are func- 

tions, then we can define a linear function space on Lp-Sets. 



Definition 3. The underlying set of the ‘internal horn’ of two Lp-sets {A, a) 
and {B,P) is A—oB, and the structure is defined by: F{A^B) — FA ® 



FB 



L®L 



L. 



Again, on morphisms we use the usual definition on Rel. It is not difficult to 
show that we thus obtain a functor —o of mixed variance as desired. In order to 
provide the desired adjoint for however, we need to demand a close relation- 
ship between F, a, t and the units and co-units of the adjunctions between ® 
and —o in Rel, say 77 and e. This gives us another two commuting diagrams. A 
functor F that satisfies these extra conditions (diagrams in the appendix) could 
be called co-exponentiable. We still need a preliminary lemma which shows that 
the adjunction in Rel and the ‘internal’ one of L are related: 

Lemma 2. If a is a function A — > L then the following diagrams are (weakly) 
commutative: 



L 



idp 



L 



VL + 



Al 



t> 



A^(L(g) A) 



a°P—o(idL 0 a) 



L — o(L L) — 



idff —o» 



L^L 



, . {a°P^idL)®a t>®idp ^ 

{A—oL) ® A ► {L—oL) ® L ► L ® L 



£l- 



Al 

idp 



Now we can prove. 

Theorem 1. If F is comonoidal and co-exponentiable then the category 
Lp-Sets is symmetric monoidal closed. 

Since Rel is compact closed, it is not a priori necessary for the natural 
transformations a and t to be different, but as we think of generalizing our 
results to a more categorical setting it seems appropriate to keep them distinct. 
Note that it is mostly the structure on L that is responsible for Li^’-Sets not 
being compact closed: even if r and cr are the same, Li^-Sets will not be compact 
closed as long as L is not. 
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4.1 Negation and ‘Par’ 

If the algebraic model L carries a par operation, we can define one for L^^-Sets 
exactly as we defined the tensor product (re-using a), and so long as par and 
tensor are interpreted differently on L, these two will not collapse for the category 

Lp-Sets. 

Definition 4. Set (A, a)0(B, /3) as {A® B, no [a® jS) o a a,b)- The unit for par 
is given by where rj_ is the composition of a j: FI — > I and the function 

I — > L that picks out the unit _L for par in L. 

We obtain a definition for negation also from the corresponding structure on 
Rel and L, the simplest way of writing it being (A, a)-*- := (A, ij_). In 

other words, the underlying set for (A, a)'*" is A, and the structure is given by 
composing a with the negation on L, ie I i — > 

If L is a model for the multiplicative additive fragment of (classical) Lin- 
ear Logic then certain equalities hold in L, for example = 1,1^® m'^ = 
(?nm)-*- etc. These translate into isomorphisms of Lp-seis, ie (A, a)-*"*- = {A, a), 
(A, a)-*- ® = {{A, a)U[B , (3))-^ . etc. The underlying sets are obviously 

isomorphic (actually they are identical), and the equations on L ensure that 
these isomorphisms are indeed morphisms of the respective Lp-sets. Note that 
to obtain the usual equations between □ and ^ we must have r being equal to 
cr. Hence by choosing L we can determine whether our category L^^-Sets will be 
more in the intuitionistic or in the classical vein which provides us with a close 
and relatively effortless control. 

5 The Modalities 

To obtain a linear category, we need a monoidal comonad on Lp-Sets such 
that all free co-algebras carry a commutative comonoid structure. We assume 
that such a structure is already given on Rel, namely we assume a monoidal 
comonad (!, e, i5, m/, to) and natural transformations on the category of free al- 
gebras with components Ia'S-A — >IA®\A and e:lA — >I making \A a com- 
mutative comonoid. We will abuse notation and refer to the desired monoidal 
comonad on Lp-Sets again as (!, e, <5, to/, to). This is not problematic since it is 
obtained by ‘lifting’ the structure on Rel. 

The underlying set of \{A,a) is lA, but we have to work hard to obtain 
a suitable structure on that set. Since morphisms of Lp-sets are just relations 
(satisfying a certain inequality), the definition of ! on morphisms remains the one 
in Rel, but we must ensure that this will indeed satisfy the desired inequality 
and thus be a morphism of Lp-sets. Similarly, we want to keep the components 
of the natural transformations e, S, to, d and e as well as the definition of to/ as 
the ones in Rel. For that we have to choose the structure on \{A, a) in such way 
that all these become morphisms in Lp-Sets. This results in seven inequalities 
that we want to hold. But three of those inequalities are more central then the 
remaining four. Hence we have the following definition. 
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Definition 5. A !-candidate for (A, a) is a function t: F\A — > L that satisfies 
the following inequalities: 




In other words, a !-candidate t for {A, a) makes {\A,f) a co-monoid ‘co- 
generated’ by {A, a). And among all the !-candidates there is a canonical one 
that will yield the desired object, namely the (pointwise) join of all l-candidates — 
if it exists. To ensure that, we assume from now on that L has all joins, ie is a 
complete lattice. 

Proposition 2. The pointwise join of all [-candidates for an Lp-set (A, a) is 
another [-candidate. 

There is a crucial property which all the categories of Lp-sets share which 
assures that the join of all !-candidates will result in the desired linear structure 
for the category Lp-Sets. 

Lemma 3. [Fill-in property] Let L he a complete lattice, let {A, a) be an Lp- 
setand let R: A — !-► B be any relation. Then there is (3: FB — > L making {B, ff) 
an Lp-set such that 

(i) The relation R is a morphism {A, a) — > {B,f3) of Lp-sets, ie the following 
diagram commutes weakly: 




FB 
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(a) If S'. B — h- ► C such that So R is a morphism of Lp -sets {A, a) — I— ► (C, 7) 
then S is a morphisms {B,!3) — !-► (C, 7), ie the weak commutativity of 



FA 




implies that the following diagram is also weakly commutative: 

L 




FC 



(Hi) The function /? is uniquely defined by (i) and (ii). 



We still need to explain how to obtain l-candidates for the tensor-product of two 
Lp-sets. 

Lemma 4. Ift and u are \-candidates for (A, a) and (B, (3) respectively, then the 
function obtained via the fill-in property (Lemma\^ from the following diagram 
is a [-candidate for {A, a) (S> {B, (3) = [A® B,* o t ® uo aA,s): 



F{\A(E)\B) F\A®F\B L®L 



FmA.B' 



Al 



F\{A®B) 



The whole description of I A and especially the fill-in property do not look 
very categorical, but given the generality of this approach (after all, F is just 
an arbitrary endo- functor on Rel), one cannot expect a constructive definition 
of the desired structure F\A — > L. It is rather surprising that we can get away 
with so general a situation. Using linear category in the sense of Bierman 
we obtain: 



Theorem 2. If L is a complete lattice and closed as a poset, then, under the 
assumptions of Theorem^ any category of Lp-sets is a linear category. 

Having defined !, we can use it to define ? if we are modelling (classical) Linear 
Logic-alternatively, we can take the monad for ? on Rel and define a monad on 
Li?- Sets from there. The two approaches will lead to the same result. 



Building Models of Linear Logic 



173 



6 The Additives 



To model the additive connectives we assume — as we did for the modalities — 
that L is a complete lattice, which results in the fill-in property of Lemma El 
Obviously, the dual of that lemma also holds. We shall need one version for 
products and the other for co-products. 

Looking at co-products we have a candidate for the underlying set of {A, a)-|- 
namely A + B, and candidates for the embeddings, namely ini and inr 
from Rel. It remains to determine the structure, ie a function F(A + B) — > L 
that will give us the desired universal property. We obtain this function from 
the fill-in property again. 

Consider the following diagrams: 



FA 



T’inI 

F{A + B) 
FB — 



Al 



J^inr 



Al 



F{A + B) 





L 



L 



The co-product is given by {A+B, ipiWipr) where the structure is the pointwise 
join of those two functions. Obviously, products can be obtained via the dual of 
this process. 

Proposition 3. If L is a complete lattice then any category of Lp -sets has all 
products and coproducts. 

7 Examples and Properties 

7.1 Phase Spaces and Completeness 

First of all, if F’ is a constant functor, mapping everything to a one element set, 
then the structure map a picks out an element of L. The operations on these 
LpSets are as defined on L, except !, obviously, which is a derived operation, 
and in that case Theorem 0 tells us how to define a modality for L. 

One particular instance of this would be that of phase spaces: Recall that 
a phase space M consists of a commutative monoid and a subset T of Al. For 
subsets X of M, negation is defined via 

X'*' := {to £ M I Vn G X.mn £ T}. 
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In this case, let L := {X C M | AT = X-*"*-} — in | |(-lir87| . Girard calls these sets 
‘facts’. They form a complete lattice with respect to C since facts are closed under 
arbitrary intersection. The tensor is given via X^Y := {mn \ m G X,n G V}'’''*'. 
We will not repeat here how the other connectives are defined. It is interesting to 
compare Girard’s exponentials to the ones obtained from our technique. Girard 
in fact, gives more than one interpretation for !, but we are interested in the one 
in KlirHbl . where \X = {X D (/ = I"*'"'' is the unit for G, where 1 is the 
unit of the monoid M). We define ! as the largest function t: L — > L satisfying 
t{X) < I, t{X) < X and t{X) < t{X)iS)t{X). (Note that due to the nature of F, 
it does not matter with which definition of ! on Rel we start.) Obviously, Girard’s 
definition satisfies the first two of those inequalities, but not the third. However, 
if a formula (p is provable in Linear Logic, then 1 is an element of its interpretation 
(no matter which phase space we are looking at), and for facts X containing 1, 
the desired inequality is true. Hence, whereas we make sure that \X <!Al(8>!Ar is 
true for all elements of L, Girard restricts himself to those elements which can 
possibly be interpretations of formulae. Thus he obtains a nice explicit definition 
for ! which, however, has a bit of an ad hoc nature. We obtain the somewhat 
less appealing formula \X := I ■ ■ • ’ ^ AT}'*"'". 

The above discussion also answers the question of whether our semantics is 
complete, since phase spaces are known to be. 

Another model of a similar nature which we can view as a category of Lp-sets 
are Mitchell’s lE-quantales pt9^ — they also fit the case where E is a constant 
functor of the kind described above. 

The other possibility for obtaining a degenerate model is to have L be a 
singleton. In the case where F is the identity, this will give us the category of 
sets and relations with the usual connectives (and collapses, of course), and with 
whatever definition of ! we start. 



7.2 Coherence Spaces and Hypercoherences Revisited 

We have seen in Section 0 that coherence spaces can be encoded as Lp-sets, by 
choosing L to be 3, and F to be the diagonal functor A for the tensor product 
on Rel. If we denote by G the functor obtained from mapping a coherent space 
to the corresponding 3/i-set, we get: 

Proposition 4. The functor G is full and faithful and preserves the monoidal 
closed structure on the category of coherence spaces as well as products and co- 
products. 

The image of the embedding G consists of all 3/i-sets whose structure map 
takes the value 1 exactly on the diagonal. A few calculations show that the 
modalities we obtain for 3/i-sets if we take ! to be the finite powerset functor on 
Rel correspond to the ones described in mm . To obtain the ones from mm 
we have to adjust our definition of !: this is because the underlying set for !(A, a) 
is always \A in our construction, ie a cannot be used to determine a subset of lA 
as in the usual version of the modalities for coherence spaces. However, we can 
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provide for that to some degree: Under the assumptions of Theorem 13 let there 
be a subset \aA of I A for every {A, a). Further assume that the restrictions and 
co-restrictions of the linear structure on Rel to these subsets, and the equations 
between those are still valid. If F preserves inclusion of relations, then this results 
in another linear category. We will not go into the details of the proof here — 
basically, it consists on showing that the notion of !-candidate can be adapted 
to those circumstances. 

The other example we looked at in Section Q was that of hypercoherences. 
To encode those, we chose L = 3 and F = V{„^, the finite powerset functor on 
Rel. By defining the resulting functor on morphisms the same way we defined G 
above, we again obtain a full and faithful embedding that preserves the monoidal 
closed structure. Its image in the category of S-p^^^-sets is given by those (X, ax) 
which take the value 1 if and only if the argument is a singleton. However, 
the image of that embedding is not closed under products and co-products (the 
property of the structure taking the value 1 exactly on singletons is not preserved 
under these constructions). The modalities, however, can be expressed in the 
category of Sp^^^-sets as described in the section on coherence spaces. 



7.3 Lamarche’s Q^-Coherences 

Lamarche’s attempt to find a generalization of models for Linear Logic such 
as hypercoherences and coherence spaces led him to the introduction of what 
he calls Q^^-coherences |Lam95j . where Q is a quantale. These can be viewed 
as Q-p^-sets, where Vn is a powerset functor which only considers sets up to 
cardinality n. (The additional parameter A specifies a subset of Q which is used 
to ‘mark’ the singleton sets.) Any category of Q(^-coherences can be embedded 
into the category of Qp^-sets, and this embedding preserves all multiplicative 
and additive connectives, is full and faithful. 



8 Conclusions 

It is pleasing to see that so many, in principle very different, models of Linear 
Logic can be cast into the framework of Lp-Sets. We remark that the uni- 
fication happens not only on the level of representing the previous models as 
Lp-Sets, but also in that the relevant categorical structure is preserved by the 
representation. 

It is worth pointing out that there is a constructive version of our construction 
- provided that the functors {F and !) involved satisfy a simple finitariness 
condition, we can model Intuitionistic Linear Logic even if L only has finite 
meets and joins. 

Furthermore, there is a relatively simple instantiation of our construction 
which, unlike hypercoherences and coherence spaces, does not validate the mix 
rule: Instead of choosing 3 as the underlying poset, take the four element lattice. 
This will, of course, also ensure that all the constants are different. We believe 
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there should be many applications for these very discriminating kinds of models, 
but have not had the time to work them out. 

Still there are two classes of models that we have not been able to fit into this 
general framework: dialectica models and games models are not straightforward 
Lp-Sets. This is due to the fact that these models have an ‘external’ duality - 
which is achieved by giving two components to every object, and swapping them 
by negation. We cannot realistically hope to capture this via an internal duality, 
such as the one on L, which is the one we use to obtain the duality of Lp-Sets. 
We are independently pursuing the work on these two classes of models using 
other methodologies. 

We would like to thank Martin Hyland for numerous discussions on the sub- 
ject of this paper. Thanks also to Paul Taylor for his diagrams package. 
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Appendix A: Diagrams for Definitions 

We must explain the notions of comonoidal and co-exponentiable functors. 

Definition 6 . Let C be a (symmetric) monoidal category and let F he an endo- 
functor on C. We say that the natural transformation of bifunctors 

_) — > F_G> F_ (where all the components are functions) and the map 
a I : FI — > I make F a (symmetric) co-monoidal functor iff the following ( over- 
leaf) diagrams commute, where a, p, A and 7 denote the usual isomorphisms in 
(symmetric) monoidal categories. 
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F{I (g) A) FI ® FA 



(7 A T 

F{A ® I) — ^ FA ® FI 



FXa 



a I (g) id FA 



FpA 



FA 



I (g) FA 



FA 



PA 



id fa ® cFi 



FA® I 



F{{A ®B)®C) F{A ®B)®FC ^ {FA ® FB) ® FC 



FaA,B,c 



a.FA,FB,FC 



F{A ®{B® C)) fa (g) F{B (g) C) ^ ^ 



And, in the case of symmetry: 



F{A (g) B) FA (g) FB 



Fja,i 



yFA.FB 



F{B (g) A) -E^ FB (g) FA 



Definition 7. Let C be a (symmetric) monoidal closed category and let F he a 
(symmetric) co-monoidal endo-functor on C. We say that the natural transfor- 
mation of bifunctors r: F(_^_) — > F_-oF_ make F a co-exponentiable functor 
iff the following diagrams commute, where e and rj are the units of the adjunction 
that makes C (symmetric) monoidal closed. 



FA 






r,FB 

Vfa 



H — >► FB^{FA (g) FB) 



idpB ^—octa.b 



F{B^{A®B)) FB^F{A®B) 



F{{B^C)®B) 



‘^B—OC.B 



FsB 



FC 



+ffc 



F{B^C) g) FB . Ig . £ . {FB^FC) g FB 
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Abstract. Although there exist logics that extend the expressiveness 
of order-sorted equational logic using additional binary relations besides 
eqnality in their logical theories, standard equational rewriting is still the 
foundation of their operational semantics. But rewriting is not necessar- 
ily restricted to the replacement of equals by equals only, and can be 
generalized to other ‘special’ binary relations. I show in this paper that 
by applying rewrite techniques to logical theories considered as instances 
of a general ‘logic of special relations’ we can unify and hence simplify 
the computational analysis within these theories. 



1 Introduction 

Since the beginning of the algebraic specification discipline for formal program 
development, there have been various attempts to further increase the limited 
expressiveness of conditional order-sorted equational logic. Some examples in 
this direction are classified algebras m, unified algebras im, type algebras 
galactic algebras m and membership algebras m- 
From a model-theoretic point of view, these frameworks extend the expres- 
siveness of conditional order-sorted equational logic by means of a semantic 
treatment of sorts by using additional binary relations besides equality in their 
sentences. For instance, Manca, Salibra, and Scollo’s equational type logic “can 
be viewed as Horn clausal logic with equality and one (binary) predicate, viz. 
type assignment” H2|.i will call these binary relations, that play a central role 
in the theories of these logics, special relations, because they have certain prop- 
erties I claim can be computationally exploited by term rewriting. I am think- 
ing of properties like reflexivity, symmetry or antisymmetry, monotonicity or 
antimonotonicity, congruence, transitivity or compositeness with other special 
relations. For instance, in the above mentioned equational type logic, the follow- 
ing properties or relationships between special relations ‘equality’ (=) and ‘type 
assignment’ (:) hold, for all x,y,z: 



X = y A y = z x = z 

X : y A y = z => x : z 
X = y A y : z x : z 
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These relationships are actually specific instances of a general relation-algebra 
sentence a; /3 E 7, where a, (3, and 7 denote arbitrary binary relations, is com- 
position of relations, and partial order ‘C’ captures implication. Furthermore, in 
equational type logic every function symbol / is monotonic in all its argument 

positions i with respect to special relation ‘equality’: x = y /(• ■ ■ ,x, . . .) = 

/(. . . ,y, . . .). In general, a specific function symbol / that is monotone in its 
i-th argument position with respect to a pair of relations a and (3 satisfies the 

following implication: x a y => /(. . . , x, . . . ) /3 /(. . . , y, . . . ). 

Although dealing with several binary relations at once, extensions of order- 
sorted equational logic like equational type logic or membership equational logic 
still base their respective proof calculi on standard equational rewriting, as are 
the cases of equational type rewrite systems H2j and membership/rewriting sys- 
tems PI , respectively. These proof calculi are therefore too restrictive and suffer 
from a difficult and heterogeneous treatment of their respective deduction mech- 
anisms. But, recently it has been shown that rewriting itself goes beyond equa- 
tional logic, because rewriting is not necessarily restricted to the replacement of 
equals by equals only. Levy and Agusti studied mechanisms for automating the 
deduction in theories involving subset inclusions by means of bi-rewrite systems 
HH- Bachmair and Ganzinger based on Levy and Agusti’s work their general- 
ization from superposition calculi for full first-order theories with equality to 
ordered chaining calculi for theories with arbitrary binary relations 

It is due to these previous observations that I look at these extensions of 
order-sorted equational logic as particular instances of a more general logic of 
special relations, that I briefly introduce in Sect0 In addition I believe that the 
basic properties of special relations can be captured by term rewriting, and that 
some interesting computational issues can be naturally studied within a proof 
calculus relying on a suitable notion of ‘term rewriting along binary relations’, 
as defined in Sect0 which focuses on what I think constitutes the ‘bare bones of 
term rewriting’, namely first, the replacement of a term by another — applying 
a given rewrite rule — , second, the successive and meaningful composition of 
several replacements, and third, the possible, but not necessary, application of 
replacements within the structure of a term. In Sect0I show that, for instance, 
in the particular case of membership equational logic 0, such ‘kernel’ of term 
rewriting along binary relations uniformly captures, under a unique general no- 
tion of local confluence, some important decidability properties of its theories, 
like sort-decreasingness or descendingness. 



2 A Logic of Special Relations 

Signatures of the logic of special relations are tuples f2 = {S*,E), where 

— S* = {S * , ; , 7 , “, E) is a partially ordered free monoid with an anti-involution 
generated over a set S of special binary relation symbols. The monoid’s mul- 
tiplication ‘;’ and neutral element ‘7’ are interpreted as relation composition 
and identity relation, respectively. The anti-involution ‘“’ is interpreted as 
relation conversion. Composition and conversion are order preserving. 
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— is a ranked alphabet of function symbols, which may be monotonic or 
antimonotonic in their argument positions with respect to a pair of special 
relation symbols of S. 

I’m going to treat monotonicity and antimonotonicity as inherent features 
of the signature’s function symbols, in the same sense as their arities. For this 
purpose I use the notion of polarity, inspired by Manna and Waldinger’s work on 
special-relation rules |i:ai4| . For example, let \x\ denote the cardinality function 
applied to the set x. We have that for all x,y, x C y |a::| < \y\, i.e. the 
cardinality function is monotonic in its unique argument position. I will say 
that its argument position has positive polarity (or is positive) with respect to 
(C, <). In another example, let x\y denote set difference between sets x and y. 
We have that for all x,y, z, x C y => z\y C z\x, i.e. the set difference function 
is antimonotonic in its second argument. I will say that its second argument 
position has negative polarity (or is negative) with respect to (C,C). 

When I say that an argument position is positive (or negative) I do not 
exclude the possibility that it has both polarities. In general, when an argument 
position has some polarity (either positive, negative or both) I will just say that 
it is polarized. 

Without loss of generality, in the rest of this paper I will only refer to positive 
polarities of argument position, since if a position has negative polarity with 
respect to a pair of relations, I express this polarity as a positive one in the 
following way: For any argument position i of any function symbol / in E, the 
i-th argument position of / is negative with respect to (a, (3) if and only if it is 
positive with respect to {a, (3) if and only if it is positive with respect to {a,j3). 

I also extend polarities with respect to composite relations and with re- 
spect to the identity relation in the following way: For any argument position 
i of any function symbol / in if, if the i-th argument position of / is positive 
with respect to both, (a,f3) and {a', (3'), then it is also positive with respect 
to ((a; o'), (/3; /3')). The z-th argument position of / is positive with respect to 

There is a relationship between polarities and the partial order relation C on 
relations, which determines a signature to be correctly stated: 

Definition 1. A signature {S* , E) is said to be correct if for any argument 
position i of any function symbol f in E , and any relations a, f3, and j in S we 
have that 

~ if 1 E (3 and the i-th argument position of f is positive with respect to (0,7), 
then it is also positive with respect to {a, (3), 

— ifaQj and the i-th argument position of f is positive with respect to (7,/?), 
then it is also positive with respect to (a,f3). 

From now on I only consider correct signatures. As usual, Tx’(A’) denotes 
the set of first-order A-terms over a denumerable set X of variables. Sentences 
are expressions sat, where s,t G Ts{X) and a G S*. A substitution a = 
{xi 1 -^ ti, . . . , I— > tn) is a map from a finite subset of variables {x\, . . . , Xn} C 
X to terms, and can be uniquely extended to a mapping from terms to terms 
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and from sentences to sentences. A theory presentation is a pair (17, A), where 
17 is a signature and A is a set of 17-sentences, also called axioms. 

An interpretation in this logic is a A-algebra A together with an assignment 
to each a G S'* of a set |o;] C A x A, such that, for all a,(3 G S*, a,b & A, 
f G Sn, and z G [1 . . . n] 

— (a, b) G |a; /?] iff there exists c G A such that (o, c) G |a] and (c, b) G |/3] 

- (a, a) G |11 

— (a, 6) G |d] if and only if {b, a) G |o:] 

“ [a] C 1/3] whenever a E /3 

- (a, b) G {aj implies (|/](. . . , a, . . . ), |/](. . . , 6, . . . )) G |/3] whenever the z-th 
position of / is positive with respect to {a, j3) 

We say that such an algebra A satisfies a sentence s a t if and only if for 
each assignment p : X ^ A, (|s]p, |t|p) G |a], where | |p is the unique S- 
homomorphism extending p. 

In order to capture a large variety of models of specification, it is necessary 
to endow the logic with a more general model theory than the one presented in 
this paper, namely one based on the categorical theory or relations, also known 
as allegories jS|, as I have shown in detail in m- 

3 Term Rewriting Along Binary Relations 

Given a term t, Let t\p denote the subterm occurring at position p, represented 
in Dewey decimal notation. When this occurrence is replaced with term s, we 
denote that by t[s]p. The polarity of argument positions of functions can be 
easily extended to subterm positions p within a term t in the following way: 

Definition 2. 

1. Position i in a term /(ti, . . . ,tn) G Ts(A’) is positive with respect to a pair 
of relations {a,f3), if and only if the i-th argument position of f is positive 
with respect to 

2. For every term u G Ts{X), subterm positions p and q, and relations a,/3 G 
S* , p.q in u is positive with respect to (a,/3) if and only if there exists a 
relation j G S* such that the polarity of q in u\p with respect to ( 0 , 7 ) and 
the polarity of p in u with respect to {^,13) are both positive. 

Obviously this extension captures all the negative polarities through the re- 
lation existing between positive and negative polarities, as discussed in the pre- 
vious section. 



3.1 A General Notion of Term Rewriting 

The term rewriting approach to theorem proving in equational logic is based 
on the fact that we can use the equations of a given theory as rewrite rules, by 
imposing a specific directionality to the equations. In the same sense we may 
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prove theorems of a given theory in our logic with special relations by considering 
its atomic formulae as rewrite rules, too. We do this either considering an atomic 
formula s a t as a, rule from left to right, in which case we write s — > t, or else 

Oc 

from right to left, in which case we write s < — t. Since sentences sat and t a s 

a 

are equivalent, we may also write t < — s and t — > s, respectively. If, given a 

a a 

theory presentation {(S* , S), F) we interpret the axioms in F as rewrite rules 
in the sense explained above, then we may call F also a term rewriting system, 
generalizing in this way the standard notion of term rewriting system (where 
rewrite rules are actual equations). Consequently I redefine the notion of term 
rewriting as follows: 

Definition 3. Given a term rewriting system F, a rewrite rule I — > r in F , and 

Ol 

a term s, I say that s rewrites along 7 to t, written s *■ t, if there exist a 

iF 

relation 7 in S* and a substitution a such that a{l) = s|p for a suhterm position 
p that is positive with respect to (0,7), and t = s[cr(r)]p. 

In general I will write s t, if there exists some relation 7 in S* such that 

s > t, i.e. — >= U-ypS* Deviating from its standard definition, I will 

7,/^ r ^ -y^r 

call — > a rewrite relation. The standard definition of a rewrite relation is that 
r 

of a binary relation over terms that is closed both under context application 
— the ‘replacement property’ — and under substitutions — the ‘fully invariant 
property’ — (see e.g. Pj). My ‘redefinition’ of rewrite relation differs from the 
standard one in that, according to Definition 0 — satisfies a weaker ‘replace- 
ment property’, namely that the relation is closed under context application only 
on positively polarized positions with respect to a pair of relations. 



Notation: Given the rewrite relation — > induced by the term rewriting system 

F, I write — > and — > for its transitive and reflexive-transitive closures, respec- 
r r 

tively. In particular, I write s — > t if there exist terms sq, . . . , s„ G Ts{X) and 

~t,r 

relations a\, ... ,anG S*, n > 0 , such that 



s = So *■ Si > S2 5- • • *■ Sn = t and oi; • • • ; On E 7 j 

(Xi,P 0L2,P OLn,P 



and I write s 






-!■ t when 



n > 0 . It is obvious that -E= I J 
“ r 



7SS* 



jF 



and 



with 



. Analogously, I will write their respective symmetric closures 
and EE. 

7,r ' r ' r r 

In the rest of this paper I will drop the subscript F if the term rewriting 
system is clear from context. 
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3.2 A Proof Calculus Based on Term Rewriting 

I’m interested in using the general notion of term rewriting along relations in- 
troduced in the previous section in order to prove if a given atomic formula is 
or is not a theorem of a given theory in our logic of special relations. We know 
from standard equational term rewriting that term rewriting systems need to 
have several properties — the Church-Rosser and termination properties — in or- 
der to provide decision algorithms for the equational theory they embed. In this 
subsection I’m going to analyze how these properties translate to the present 
general notion of term rewriting system. Of course, due to the additional gener- 
ality and expressiveness of the logic with special relations, I expect the required 
properties to be much more subtle than in the equational case. 

Definition 4. A proof of the atomic formula s j t in a term rewriting system 
r is the sequence of rewrites of the form 

S = So < Si < >■ • • • < >■ Sn = t , 

Cti Ct2 Oc-n 

n > 0, such that a±; ■ • ■ ; C 7 , i.e. s ^ t. Recall that when n = 0, 

7 

Ol , • • * , CXji — 1 . 

Since I’m interested in exploiting rewriting along relations in a computational 
way, I will look for sufficient conditions a term rewriting system F, such that 
every proof of an atomic formula can also be proved by a rewrite proof: 

Definition 5. A rewrite proof of an atomic formula s j t in a term rewriting 
system F is a proof of the particular form: 

CKl Ctn (Sm 01 

n,m > 0, such that oi; • • • ; [3m', • • • ; /?i E 7 > ke. s > u < t. 

If every proof has a rewrite proof, a decision procedure is straightforward: In 
order to prove s 7 t, we compute the sets 

A = {(v,S) e xS* I s^v} B = {(v,S) e Ti;(T) x S* j v ^ t} 

s s 

and check if there exist u € Ts{X) and a, [3 G S* such that (u, a) G A, 
{u,(3) G B, and a; (3 E 7- Notice that this decision procedure is not based 
on normal-form computation as in the case of equational term rewriting, but 
instead computes the whole rewrite trees starting from s and t. In order to have 
a decision algorithm, sets A and B need to be always finite. We need therefore 
termination and finite branching. They are defined in a similar way as with 
standard rewriting. 
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3.3 Confluence Properties 

If we want that given a term rewriting system F, every proof of an atomic formula 
in r can also be proved by a rewrite proof, F needs to be not only a finitely 
branching and terminating term rewriting system, but also a Church- Rosser one. 
Let us define what the Church- Rosser property and its closely related property 
of ‘local confluence’ for term rewriting along relations look like: 

Definition 6. A term rewriting systems F is Church-Rosser if, for any pair of 
terms s,t G Ts{X) and relation a G S* , such that s t, there exists a term 

Ct 

u G Ts{X) and relations 7 , 5 G S* , such that s ^ u t, and 7 ; i5 C a. It 

7 (5 

is locally confluent if, for any three terms s,t,v G Fx:{X) and pair of relations 
a,f) G S* , such that s < — v — > t, there exists a term u G Ts{X) and relations 

a p 

7 , 5 € S* , such that s ^ u and 7 ; <5 C a; (3. 

7 5 

We will say that a peak having a rewrite proof converges. The following propo- 
sitions are true in our general setting: 

Proposition 7. A terminating term rewriting system F is Church-Rosser if and 
only if it is locally confluent. 

Proof. By standard techniques for proving confluence of abstract reduction re- 
lations (see e.g. |^). The only additional complexity to have in mind is that 
additional inclusions of compositions of relations ( 7 ; S Q a~ f3) need to be taken 
into account. □ 

Recall, that, in standard term rewriting local confluence reduces to conver- 
gence of all critical pairs. Critical pairs are formed by non-trivially overlapping 
left-hand sides of rewrite rules of the term rewriting system at hancQ. One can 
then attempt to complete a terminating but non-Church-Rosser term rewriting 
system into a Church-Rosser one, by adding those critical pairs without a rewrite 
proof as new rewrite rules to the system. It is therefore very convenient to see 
how this extends to term rewriting along relations. 

3.4 Critical Peaks 

Many aspects of the following discussion have already been thoroughly studied 
within the context of standard rewriting (see e.g. ^), but it is worth to work 
through them again within our general framework of rewriting along relations, 
in order to highlight the subtleties we have to deal with now. 

Given a theory presentation {{S* , E), F), let s,t,v be terms in Ts{X), a, (3 
relations in S* , and let us consider T as a term rewriting system. A peak 
s < — V — > t in T is the result of rewriting with two (not necessarily distinct) 

a p 

rewrite rules ri < — li and 1 2 — > r 2 in F on (not necessarily distinct) subterm 

a' p' 



^ A non-trivial overlap means an overlap on non-variable subterm positions. 
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positions p and q in v, respectively. There are two different cases to consider: 
Either the rewrite rules do not overlap, but are applied on two disjoint subterm 
positions in v (disjoint case), or else they do overlap (overlap case). 

Subterm positions p and q may have a common prefix, i.e. there exist an r 
such that p = r.p' and q — r.q', and in the previous two cases it is desirable 
to neglect the fragment of the term above r since it does not take part in the 
actual peak, it is just a context w) ],. put around the terms forming it. But to 
be able to strip off this context we need to proof that context application, when 
possible, preserves local confluence. 

Context Application: Context application preserving local confluence means, 
that if a peak s < — v — > t converges, then by applying a context ]r around 

a p 

the terms involved, the resulting peak ?ii[s]r < — ?u[u]r- — > w[t]r converges, too. 

a' 0' 

Though this is obviously true in standard term rewriting, its validity in the 
framework of our general notion of term rewriting is not that straightforward. A 
context ]r can be applied around the terms if there exist relations a' , (3' G S* 
such that r in w is positive with respect to {a, a') and with respect to (/?,/?'). 
But then the resulting peak converges only if there also exist relations ,5' G S* 
such that r in w is positive with respect to (7,7^) and with respect to (<5, i5'), 
and, in addition, 7'; S' C o'; (3' (see FigP). 



s 





Fig. 1. Context application preserving local confluence 



Unfortunately this is not always true in general, and we will need to put addi- 
tional conditions on the polarity of our signature’s function symbols for context 
application to preserve local confluence. In order to simplify the treatment of 
these conditions. I’ve already chosen to define the monotonicity and antimono- 
tonicity properties of function symbols only with respect to special relations in 
S (see Sect 13), so that the polarities of their argument positions with respect to 
general binary relations in S* depend on their polarity with respect to special 
relations in S and on the partial order in S* . 

Before giving the additional conditions to put on signatures, let me first state 
the following proposition: 

Proposition 8. Let S' = {d | a G S}. For every relation a G S* , there exist 
oi,... ,a„GSuS, n> 0 , such that a = oi ; • • • ; . 
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Proof. By definition, since S* is the domain of a free monoid with an anti- 
involution. □ 

I now define the notion of well-polarized signatures, in order to capture those 
special cases for which context application is going to preserve local confluence: 

Definition 9. A signature {S*,S) is said to be well-polarized if whenever for a 
function symbols f € S, argument position i in f , and pair of relations a, P € S* 
we have that i in f is positive with respect to (a,/3) (where a = ai; • • • ; o;„, and 
for all j G [1 . . . n], aj G S U sB then there exist relations /3i , . . . , /3„ G S* 
such that for all j G [1 .. .n], i in f is positive with respect to (aj,Pj), and 

Pi;--- ;Pn^p. 

Lemma 10. Let (5*, S) be a well-polarized signature, and let a,P,and 7 be three 
relations in S* , w a term in Ts{X), r a position in w, such that r inw is positive 
with respect to ((a; P),j). Then there exist relations a' and P' in S* such that r 
in w is positive with respect to (a, a') and with respect to {P, P'), and a'; P' Q 7 . 

Proof. By induction on the length of position r = di. • • • .d/, I > 1, dj G IN. 
Let a = a\; ■ ; o;„ and P = Pi; ■ ■ ■ ; Pm, m, n > 0 such that for all i G [1 . . . n] 
and j G [1 . . .m], ai, Pj G S Li S (Proposition ED, and suppose / is the top-most 
function symbol of w, i.e. w = /(si, . . . , Sp) and for all fc G [1 . . .p], Sk G Ts{X). 

1. If / = 1 then r = d, d G IN. By Definition Qd in / is positive with respect 
to {{a;P),j), and since the signature is well-polarized there exist relations 
a'l,... , q;(j, P'i,...,P'm G S* such that for all i G [1 . . . n] and for all j G 
[1 ... to], d in / is positive with respect to {ai, a') and with respect to {Pj,P(), 
and a[; ■■■ ;a!^;P{;--- ;P'm^l- 

2. If Z > 1 then r = d.r' , d G IN. By Definition [3 there exists 7 ' G S* such 
that r' in is positive with respect to ((a; /3), 7 '), and d in / is positive 
with respect to ( 7 ^ 7 ). By the induction hypothesis there exist relations o' 
and P' in S* such that r' in Sd is positive with respect to {a, a') and with 
respect to {P,P'), and a';P' C 7 '. Therefore d in / is also positive with 
respect to {{a'; /?'), 7 ). Since the signature is well-polarized and by reasoning 
analogously to the base case, there exist relations a" and P” in S* such that 
d in / is positive with respect to {a', a”) and with respect to {P',P"), and 
a"; P" C 7 . By Definition El r in w is positive with respect {a, a") and with 
respect to {P,P"). 

□ 

Indeed, when dealing with well-polarized signatures, local confluence is closed 
under context application: 

Proposition 11. If the peak s < — v — > t converges, then, for each term w G 

a p 

Ts{X), position r in w, and relations a' , P' G S* such that r inw is positive with 

respect to {a, a') and with respect to {P,P'), the peak w[s]r < — — > w[t]r 

ol' (3' 

converges, too. 



^ Such relations Oj always exist due to Proposition El 
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Proof. Since the peak s < — v — > t converges, there exists a term u G Ts{X) 

a 13 

and relations 7 , <5 S S* such that s ^ u ^ t and 7 ; i5 C a; (5. We have that r 

7 s 

in w is positive with respect to ((a; (3), {a'; P')), therefore r in re is also positive 
with respect to (( 7 ; i5), (o'; /3')). By Lemma E3 there exist relations 'y',S' G S* 
such that r in w is positive with respect to ( 7 , 7 ^ and (i5, 5'). Consequently 

Furthermore, and also by Lemma El 7'; E a'; /?'• 

7 ' S' 

□ 



Disjoint Case: Knowing that we can strip off the context not involved in the 
rewritings that form the actual peak, let us now see the case when the peak is 
due to the application of two rewrite rules on disjoint positions p = i.p' and 
q — j.q' , i ^ j. Let us proof first the following lemma: 

Lemma 12. Let ((5*, S), P) be a theory presentation. If for all function symbols 
f G Sri, n G IN, argument positions i,j G [1 . . .n], i ^ j, and special relations 
a, a' , P, P' G S we have that, whenever both, the i-th and j-th argument positions 
of f are positive with respect to (o', a) and (/?', P), respectively, a; P = P; a, then 
this is also true for all general binary relations a,a',P,P' G S* . 

Proof. Let a = oi;--- and P = Pi',-- - Pm, m,n > 0 such that for all 
i G and j G ai,Pj G SUS (Proposition E|. The proof is 

by induction over n and m. If n = 0, 1-, P = p-, 1 (analogously for to = 0). 
If n, TO > 0, let a = a 2 ',---',an and p = P 2 ',-- - ', Pm- There exist relations 
a[,P[ G SU S and relations a',P' G S*, such that 

— the j-th argument position in / is positive with respect to and with 

respect to {a’, a) 

— the j-th argument position in / is positive with respect to (/3(,/3i) and with 
respect to (P',P) 

Therefore oi; /?i = Pi', oi and by the induction hypothesis ai',p = p',ai, cc. Pi = 
Pi',a, and cc,p = p',a. Consequently a; /? = ai',a',Pi',p = ai',Pi',or,p = 
Pi', c^i', P',cy = Pi', P', Oil', (y. = P', Q.. D 



Proposition 13. Let {{S*,S),r) be a theory presentation such that (S*,S) is 
a well-polarized signature. If for all function symbols f G Sn, n G IN, argument 
positions i,j G [I...n], i j, and special relations a,a',P,P' G S we have 
that, whenever both, the i-th and j-th argument positions of f are positive with 
respect to {a', a) and (P',P), respectively, a', P = P',a, then all peaks due to the 
application of two rewrite rules in P on disjoint subterm positions converge. 

Proof. Let s < — v — > t he a, peak due to the application of two rewrite rules 

a f3 

ri < — and I 2 — > ^2 in P on two disjoint subterm positions p = i.p' and 

ct' /?' 

q = j.q' oi v, i ^ j, and let / be the top-most function symbol of term v. We 
have that s = v[ai{ri)]p and t = v[a 2 {r 2 )]q, where ai and (T 2 are the unifiers of 
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v\p with li, and v\q with I2, respectively. It follows that subterm positions p and 
q in V are positive with respect to {a' ^a) and respectively, and therefore 

there exist relations a" , G S'*, such that the i-th and j-th argument positions 

of / are positive with respect to {a", a) and respectively. Furthermore, 

since positions p and q are disjoint, there exist u = s[a2{r2)]q = t[cri(ri)]p, such 
that s — > u < — t. In addition, by Lemma El ct; /? = /3; a, which means that the 

f3 a 

peak converges. Finally, by Proposition m context application preserves local 
confluence. □ 



Overlap Case: Unlike in standard term rewriting, in our case we will need 
to look for overlaps on non-variable and variable subterm positions in order to 
generate critical atoms and variable instance atoms, and eventually check if they 
have a rewrite proof. 

Let us define these atoms formally. Let ((5*, E), F) be a theory presentation, 
where F is considered a term rewriting system. 

Definition 14. If I — s- r and s — > t are two rewrite rules in F and a, ( 3 , and 

a jS 

7 in S* are relations such that p is a negative position with respect to (a, 7) of 
a non-variahle suhterm of s, and a is the most general unifier of s\p and I, then 
the atomic formula (r(s[r]p) 7;/? aft) is a critical atom. 

Definition 15. If I — > r and s — > t are two rewrite rules in F and a, ( 3 , and 7 
a /3 

in S* are relations such that p is a position of a variable suhterm x of s, a is a 
substitution such that a{x) has I as subterm at position q, but a{y) = y for all 
y ^ X, position p.q in a(s) is a negative position with respect to (0,7), then the 
critical atom o'{s)[r]p,q 'y, (3 aft) is a variable instance atom. 

Proposition 16. Let {{S* , E), F) be a theory presentation satisfying the same 
conditions as the one in Proposition^^ The rewrite system F is locally confluent 
if and only if all critical and variable instance atoms have a rewrite proof. 

Proof. By standard techniques of term rewriting (see e.g. |^). □ 

3.5 Practical Theorem Proving 

Several important differences to standard equational term rewriting appear, 
which are important for the practicability of the term rewriting approach to 
deductions with binary relations, when the signature includes functions which 
are monotonic or antimonotonic with respect to a pair of relations. In general, 
two rewrite rules may give rise to infinite many critical and variable instance 
atoms. We can limit the number of critical atoms by putting some additional 
restrictions on our theories (we are going to see that on an example in the 
next section), but dealing with variable instance atoms is unfeasible in practice, 
and nothing is gained compared to a strategy by which monotonicity axioms are 
treated unspecifically. Therefore we may consider rewriting on subterm positions 
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only when variable instance atoms are generally unnecessary. In particular, one 
way to do that is the approach followed by Bachmair and Ganzinger in PJj which 
consists of allowing rewriting on subterm positions only along relations that are 
symmetric. I suggest another approach that can also be useful to avoid variable 
instance atoms, namely by exploiting the notion of polarity. Proposition El pro- 
vides a first example were the notion of polarity serves to control term rewriting. 
In addition, we may allow rewriting along non-symmetric relations only on sub- 
term positions of ground terms, or, more generally, of terms without variables on 
polarized subterm positions. A detailed case analysis of the feasibility of subterm 
rewriting in relationship to the notion of polarity of subterm positions remains 
to be done and would be outside the scope of this paper, though I studied these 
issues in some depth within the context of rewriting logic psiini. 

4 Decidability Conditions for an Instance of the Logic 

From the previous discussion we may conclude that a proof calculus for the logic 
of special relations based on a general notion of term rewriting along binary 
relations is unfeasible in practice. In order to overcome tractability problems 
of the calculus, quite restrictive conditions need to be put on the special rela- 
tions or on the axioms of our theories. Despite of these severe drawbacks the 
results of extending rewrite techniques beyond equality unify and hence simplify 
in an elegant way some aspects of the computational analysis for specification 
paradigms based on special relations. In this section I show how such general 
view of term rewriting captures several up to now distinct conditions for the 
decidability by term rewriting of theories in a particular instance of the logic of 
special relations — namely membership equational logic — under a single notion 
of local confluence. 



4.1 Membership Equational Logic 

In general a signature 17 = {1C,E^{Sk}k^k.) in membership equational logic 
consists of a many-kinded signature (/C, E) and a family {SK}KeK of sets of 
sorts. For the sake of simplicity I will be concerned only with the ‘one-kinded’ 
case, i.e. when /C is a singleton set, and the family {Sk}kgK consists of only 
one set of sorts. Atomic formulae are membership assertions t : s or equations 
t = t' , where t and t' are in Ts{X) and s is in Sk- Sentences are expressions 
ipi f\ ■ ■ ■ f\ ipn '0! ^ 0; where ipi and ip are atomic formulae. Sentences of 

the particular form x : si x : S 2 , where x G X, are called subsort sentences, 
because they induce a subsort relation ^ over the sorts of Sk- I will consider 
subsort sentences as atomic formulae of the form si ^ S 2 . Theory presentations 
are pairs (17, T), where 17 is signature and F is a set of sentences. For further 
details see j2j. For the subsequent discussion, and since theories in the logic of 
special relations as presented in this paper only have atomic sentences, I will treat 
the unconditional fragment of membership equational logic, with the exception 
of subsort sentences. 
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4.2 Sort-Decreasingness 



When considering completion procedures for order-sorted rewrite system, one 
has to face the problem that order-sorted replacement of equals by equals is not 
complete in general, and consequently one has to pose the restriction of ‘sort- 
decreasingness’ on the rewrite rules of the rewrite system j^j. A rewrite rule is 
sort-decreasing if the sort to which the right hand side of the rule belongs is sub- 
sort of the one to which the left hand side belongs. This restriction extends to the 
completion process, being an new source of failure, in addition to unorientable 
equations. 

Several unsatisfying and complicated ways to solve this problem have been 
suggested [811 (17IM| . but it turns out that a semantic treatment of sorts pro- 
vides an elegant solution to the problems posed by the sort-decreasingness re- 
quirement. Within the framework of membership equational logic, Bouhoula, 
Jouannaud, and Meseguer study a Knuth-Bendix-like completion procedure that 
avoids non-sort-decreasing rewrites by adding semantic preserving membership 
assertions to the original theory presentation, in a way similar to adding seman- 
tic preserving equations when divergent critical pairs among rewrite rules arise 
(see 0 for further details). 

But a theory in membership equational logic is a particular theory in the 
logic of special relations, involving three different special relations S = 

=} standing for ‘subsort’, ‘membership’, and ‘equality’ respectively, and where 
elements in S* are partially ordered by the minimal partial order such that 



=;= E = E ^ =;: E : E : 

Furthermore, we only allow sentences of the form sat, where a is a special 
relation in S, not a general binary relation in S*. Consequently, in order to 
check for local confluence of the term rewriting system associated to the theory 
presentation we will have to consider overlaps on the left hand sides of five 
possible distinct rewrite rule^: 



S — S- t s — > t s — > t s — > t s — > t 

But, in the very special case of membership equational logic, suitable re- 
strictions on the ordering on terms ‘)^’ governing the orientation of our rewrite 
rules allow us to exclude some of the multiple cases of critical atoms we would 
otherwise have to consider. 

1. By requiring all operator symbols for term construction to precede in the 
term ordering all sort constants we avoid rules of the form s — > t. 

2. By requiring the term ordering on sort constants to resemble the sort hier- 
archy, i.e. S 2 Si whenever S 2 ^ si, we avoid rules of the form s — > t. 

® I use the symbol ‘€’ instead of ‘:’ as type assignment, because it is a non-symmetric 
symbol like the special relation it denotes. For the subsequent discussion, and when 
I am concerned with rewriting, I will follow this convention. 
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Only three rewrite relations, — > and — > remain to be considered, and there- 
fore only cases (a) and (b) shown in FigEI of locally confluent critical peaks need 
to be checked. The finiteness of S guarantees always that only a finite amount of 
critical atoms needs to be considered. Furthermore, since function symbols for 
term construction are kept separate from sort symbols, which are only allowed 
to be constants in membership assertions, the unique polarized proper subterm 
positions are those with respect to (=, =), and because of the symmetry of ‘=’ 
no variable instance atoms need to be considered (cf. the discussion in Sect Id. 511 . 
Cases (a) and (b) of Fig correspond to the conventional notion on ‘confluence’ 
(rewriting along equality) and a weaker notion of sort-decreasingness as the one 
defined in I will show the latter observation in more detail. 




Fig. 2. Cases of local confluence in membership equational logic 



In the framework of membership equational logic sort-decreasingness is de- 
fined together with the notion of ‘critical reduced membership’, which I state 
here adapted to our framework and also to the unconditional case. 

Definition 17. Given rewrite rules t — > s and I — > r and (r(t\p) = ail) for 

some non-variable position p and most general unifier a, then a{t[r]p) : s is a 
critical reduced membership. 

It is obvious that a critical reduced membership is an actual critical atom 
as defined in definition (besides the fact that here we are dealing only with 
special relations). 

Definition 18. A critical reduced membership t' : s is sort-decreasing if there 

exists s' such that s s' and t' — > s'. 

^ 6 

Analyzing this definition within our framework, it is obvious that sort-decrea- 
singness is actually too strong a condition for decidability of equality and mem- 
bership statements, because of the unnecessarily required one-step rewrite 
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t' — > s' shown in Figiac). We have seen in Sect 1^1 that — given termination — 

local confluence suffices for decidability of atomic formulae in theories with spe- 
cial relations. In membership equational theories the weaker sort-decreasing con- 
dition that actually suffices for decidability of equality, membership and subsort 
assertions is the one depicted in FigEtb), and is closely related to Eker and 
Meseguer’s notion of descendingness who, following a different approach 
than the one presented here, also suggested to weaken the sort-decreasingness 
requirement in membership equational theories. 



4.3 On Regularity 

Eker and Meseguer’s descendingness differs from local confluence as depicted in 
Figj2tb) in that it involves the notion of least sort and hence assumes strong 
regularity of the signature. Regularity is another well-know restriction usually 
put on order-sorted signatures and assures the existence of a least sort for a given 
term in the hierarchy of sorts. Although not necessary for the decidability of 
equality, membership and subsort assertions, membership equational logic takes 
regular and strongly regular signatures into account for efficiency purposes. 

Actually, in the presence of strong regularity, Eker and Meseguer’s descend- 
ingness notion and local confluence as depicted in FigEIb) are equivalent. This 
is easily proved within the present framework, and constitutes an additional ar- 
gument in favor of the elegance of term rewriting along special relations for the 
study of such issues, as we can see below. 



Definition 19. A membership equational theory (and by extension the term 
rewriting system) is strongly regular if for each term t there exists a sort s, 
such that t — > s and, whenever there exists another sort s' such that t — > s' , 



then s' 




We say that s is the least sort oft. 



The following is an alternative definition of descendingness to the one given 
by Eker and Meseguer. It is given with respect to critical reduced memberships as 
defined in Definition FTTIfor comparison with Definition 1 1 ?Slof sort-decreasingness. 



Definition 20. A critical reduced membership t' : s from rewrite rules t — > s 
and I — > r, for which s is least sort of t, is descending, if there exists a term t" 
with least sort s' such that t' t" and s s' . 

Now we are ready to prove the equivalence between descendingness and local 
confluence in the presence of strong regularity. 



Proposition 21. Given a strongly regular term rewriting system, all critical 
atoms between rules — *■ and — > are locally confluent if and only if all critical 

reduced memberships are descending. 



Term Rewriting in a Logic of Special Relations 



193 



Proof. For the if direction, let t' : s' be a critical atom formed from rewrite rules 
t — > t' and t — > s' and let s be the least sort of t. Then t' : s is a critical reduced 

= G 

membership formed from rewrite rules t — > t' and t — > s, and by descendingness 

there exists a term t" with least sort s" such that t' t" and s ^ s", and 

by strong regularity s' ^ s. Therefore t' : s' is locally confluent (see Fig0(a)). 

For the only if direction, let t' : s be a critical reduced membership formed 
from rewrite rules t — > t' and t — > s, where s is least sort of t' . Then by local 

confluence there exists a term t" and a sort s' such that t' t", t” — > s'. 



and s ^ s'. By strong regularity t” has a least sort s" and therefore s' ^ s", 
^ ^ 
consequently t' : s is descending (see FigOI^b)). □ 




Fig. 3. Descendingness and local confluence are equivalent, provided strong reg- 
ularity 



5 Conclusions 

Many logics extending order-sorted equational logic use special relations as ba- 
sic building blocks for specifications. I have attempted to formally capture this 
fact by means of a logic of special relations, which I have briefly introduced in 
this paper. Its detailed presentation can be found in m- The purpose here was 
to develop the proof-theoretical aspect of the logic, and to show how several 
conditions for the decidability of membership equational theories — which are 
specific theories in the logic of special relations — like sort-decreasingness, de- 
scendingness, or regularity, can easily be expressed by a general notion of local 
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confluence when term rewriting is generalized along binary relations. It still re- 
mains to extend the present framework to conditional term rewriting, in analogy 
to conditional equational term rewriting. 



Acknowledgments: I am grateful to Jaume Agusti, Jordi Levy and Jose 

Meseguer for fruitful discussions concerning the research issues presented in this 

paper. 
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Abstract. Module constructs in programming languages have protec- 
tion mechanisms hindering unauthorised external access to internal op- 
erators of data types. In some cases, granting external access to internal 
operators would result in serious violation of a data type’s specified ex- 
ternal properties. In order to reason consistently about specifications of 
such data types, it is necessary in general to incorporate a notion of pro- 
tective abstraction barrier in proof strategies as well. We show how this 
can be done in equational calculus by simply restricting the congruence 
axiom, and see how the motivation for this naturally arises from FI and 
FRI approaches to specification refinement. 



1 Introduction 

Many programming languages have encapsulation mechanisms that hide internal 
detail of data types. Besides providing abstraction from uninteresting detail, 
these encapsulation mechanisms also provide vital protection of a data type’s 
internal workings, to which direct access might otherwise enable a user to create 
havoc. Consider for example a data type implementation of sets in SML by sorted 
non-repeating lists. If granted access to the set constructor, a user might generate 
things (s)he thinks represent sets but which do not according to the data type. 
Then applying operators which assume the correct representation might give 
wrong answers. The power to enforce a suitable abstraction barrier between a 
module and the surrounding program is thus not just an organisational nicety, 
but also essential for program soundness. We here address these latter aspects 
of encapsulation, i.e. those pertaining to its logical or protective, as opposed to 
organisational, necessity. 

Algebraic specification is viewed in this paper in a refinement setting as 
described in e.g. or cm. In such a setting data types are viewed as 

algebras, and in several schemes, e.g. H3, m specifications and programs are 
written in a uniform language, so that specifications are abstract multi-modeled 
descriptions of a data type, while program modules are concrete monomorphic 
executable descriptions of the same. A refinement process then seeks to develop 
in a sound methodical way the latter from the former. In this setting, the need 
for abstraction barriers arises naturally in algebraic specifications as well. The 
specificational and semantic formalisms of algebraic specification have structural 
constructs, which if combined in the right order provide protective encapsulation, 
as for example in the forget-identify (FI) and the forget-restrict-identify (FRI) 
approach to refinement m- 
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The broad issue of this paper is that when reasoning about specifications and 
programs, e.g. when doing refinement proofs, one needs to take into consideration 
abstraction barriers in proof methods as well. This is because information about 
hidden parts of a data type may have to be used when reasoning about its 
external properties. In this paper we look specifically at proof obligations arising 
from the FI and FRI implementation schemes, i.e. implementing a data type by 
hiding details in, and then quotienting, another data type. Moreover, we wish to 
show how an abstraction barrier can easily be enforced in equational logic, so we 
look here at equational specifications. This means we will consider the case when 
the congruence with which the quotienting is done can be expressed by equations. 
It would then be proof-technically convenient if these latter equations could 
be used in an equational calculus directly in conjunction with other equations 
specifying the data type. Our result is that this is indeed possible, provided one 
incorporates the appropriate abstraction barrier in the calculus itself. It suffices 
to restrict the congruence (monotonicity) axiom to contexts without designated 
hidden symbols, i.e. imposing referential opacity, see [mm for other uses of 
referential opacity. Without such an abstraction barrier, the resulting set of 
equations may be inconsistent since (the axioms for) hidden operators might 
not respect the intended equality predicate. 

Several proof system schemata for structured specifications exist, see [Z| for 
an overview, and the standard way by which quotienting is dealt with is by intro- 
ducing a predicate symbol and explicitly axiomatising the congruence in terms 
of that symbol m- This also goes for the behavioural equalities viz. congruences 
dealt with in [Jj, where the axiomatisations are in general infinitary, although in 
0 this problem is taken to higher order logic and finitary axiomatisation is then 
possible. Our approach is beneficial to mechanised reasoning because it remains 
finitary, first-order and purely equational. In some cases it also allows one to do 
behavioural verification more directly because now we can safely do proofs w.r.t. 
behavioural quotients instead of having to axiomatise behavioural equalities. 

We will assume that the specifications to which the hiding and quotienting 
operators are applied are basic or “fiat” . It should be noted that this is not such 
a great restriction. Any first-order specification built from a basic specification 
by applying the standard specification building operators sum, derive, trans- 
late L2i'ij can be algorithmically normalised to a basic specification with a derive 
operator outermost (ini El E| The other relevant operators are abstract, be- 
haviour and quotient. In a refinement context the two former, it can be argued, 
should be seen as meta-operators and should only be applied outermost p. A 
similar argument can be made for quotient. 

In Sect. 2 relevant notions are given as well as motivating examples. In Sect. 
3 a calculus is presented which is sound and complete w.r.t. the model class of 
an equational instance of an FI structure. In Sect. 4 we present a calculus with 
an w-rule which is shown sound and complete for the semantics of an equational 
instance of the FRI approach. The FI case is a special case of the FRI case and 
the completeness proof of the latter immediately gives a completeness proof for 
the former. Omitted proofs and more detail may be found in Ej. 
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2 Preliminaries and Motivation 

A basic knowledge of notions within universal algebra and algebraic specification 
is assumed, see HiiEI. Below we give some notions and simplifying assumptions 
central to the paper. We will be dealing with many-sorted algebraic specifications 
whose semantics will be given as classes of total many-sorted algebras with non- 
empty carriers. Fix a signature E = {S, Q). The class of A-algebras is denoted 
by AAlg. For A-algebras A and B the class of A-homomorphisms from AtoB 
is denoted by AAlg(A, B). We also write cj) : A ^ B to indicate that (f> is a 
homomorphism from A to B. Throughout this paper, fix A as a fJ-sorted set of 
variables, where U includes all sorts involved. The A-term algebra, i.e. the free 
A-algebra generated by where the 5-sorted is given by Af = Ag for 
s G S', is denoted by Ts{X). For a A-context c[n] we write c G Ts{X) instead of 
c G T^;u{n}{X). All signatures A = (S, 17) are assumed to be sensible w.r.t. to a 
designated set / C S, i.e. for the /-sorted A^ given by Af = Ag for s G /, we 
assume that the free A-algebra generated by X\ denoted T^(A^), is non-empty. 
If / = 0 this amounts to assuming that there is at least one constant in 17 of 
every sort s in S. We write Tx'(0) as Gs- 

For signatures A = (S, 17), A' = (S', 17'), a signature morphism cr : A ^ A' 
maps the sorts and operator symbols of A to those of A' such that sorts are 
preserved. For a A'-algebra A the a -reduct A |o- of A is the A-algebra with carriers 
(A|ct)s = A£,(g) for each sort s G S and = cr(/)^ for each / G 17. For any 
A'-congruence on A, is defined as ~"^|o-g = ^^cr{s) for each sort s G S. 
For any A'-homomorphism (j> \ A ^ B, cj)\cr : A\„ — *■ A|o- is the A-homomorphism 
defined by ^l^-g = (j>cr{s) for each sort s G S. In case A C A' and cr : A ^ A' is 
the inclusion morphism, we write A\s, and we might write a a' 

in place of a', since ~^|i;g = for s G S. 

If a is not surjective, the effect is that of hiding, i.e. removing, those carriers 
and operators of A which are not interpretations of symbols in cr(A). 

The class of all A-algebras that are models (in the standard sense) of a set 
of axioms is denoted Mods{d>). 



2.1 Congruence Induced by a Set of Equations 

The following standard notion is central. For a set of A-equations E C T^(A) x 
Ts{X), the congruence induced by E on any A-algebra A is defined as the 
least A-congruence containing , (j){r)) \ {l,r) G E, (f> : Ts{X) — > A}. This 
definition is equivalent to demanding the least equivalence relation containing 
{{4>{c[l]),(j){c[r])) I (l,r) G E,c G Ts{X), (j) : Ts{X) A}, i.e. the relation 
inductively defined by 



induce : 



refl : 



(j}{c[l]) 



(!>{c[r]y 



sym : 



{l, r)GE,cG Tsi,X), <j> : Ts{,X) ^ A 



..A / 

E “ 



trans : 



4 a”, a” 



A „i 



o' 
E “ 



H/ H/ H/ 

The quotient w.r.t. to is written A/E. Of course, usually s t is 

written E G s = t. 
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2.2 Abstraction Barriers by Specificational Structure - FI and FRI 

Henceforth, we tacitly assume that every class of algebras presented is closed 
under isomorphism. A basic specification is a pair Its loose semantics 

|(i7,^)] is Modsi’^)- A number of specifieation building operators exist for con- 
structing structured specifications. A common one which will be used in examples 
is enrich SP by sorts S' ops 17' axioms <P' with semantics {A G A'Alg | nix' G 
|5P] A A 1= where S' = (S' U S', 17 U 17'). (This enrich operator can be 
expressed by the sum operator.) In this paper we are interested in encapsulation 
and in particular encapsulation out of logical necessity. Our focus is therefore 
on the two operators derive SP by cr whose semantics for a signature morphism 
(7, is {A|cr I A G |SP]}, and quotient SP by P whose semantics for a set of 
equations P, is {A/P | A G |SP]}. The particular structure of interest is 

quotient (derive {E,P) by incl : E) by P' (1) 

with semantics {{A\s^)/P' \ A G Mods(P)}- If E'' C E then the signature 
fragment E’' = if \ Z"' is outside the image of incl, so the reduct construct 
hides the interpretations of operator symbols and sorts in E^ . Structure is the 
essential abstraction barrier here: It is crucial that the hiding derive step is done 
before quotienting, since quotienting in the presence of hidden operators might 
give inconsistency in the sense illustrated in the following example. 

Example 1. Following a specification SP' is a refinement of SP, written 
SP SP' iff {SP'l C {SP}. A nice feature in refinement settings is the provi- 
sion for using an implementation of one data type to implement another. In the 
example below from m, the specification Set is refined by using Bag and spec- 
ification building operators. This reuses any refinement Bag SP” previously 
done for Bag. In particular if Bag has been refined to an executable module, then 
this code is reused when implementing Set. Specifically we have 

spec Set is 
sorts nat, set 

ops empty : set, add : nat x set — > set 
in : nat x set — > bool 
axioms add)®, add)®, s)) = add(®,s) 

add)®, add(i/, s)) = add(i/, add)®, s)) 
in)®, empty) = false 

in)®, add(t/, s)) = if ® =nat y then true else in)®, s) 

spec Bag is 
sorts nat, bag 

ops empty : bag, add : nat x bag ^ bag 
count : nat x bag ^ nat 
axioms add)®, add(j/, b)) = add(y, add)®, t>)) 
count)®, empty) = 0 

count)®, add(y, 6)) = if ® =nat y then succ(count)®, b)) else count)®, b) 

The idea is to put an appropriate interface on bags as specified by Bag, so that 
they look like sets as specified by Set. This may be done safely by adding in as 
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an interface operator, then hiding its implementation in terms of count and then 
identifying bags that represent the same set. First in is added: 

spec Bag+ is 
enrich Bag by 
ops in : nat x bag ^ bool 
axioms in(a:, b) = count(a:, b) > 0 

Then we use an instance of the structure O: 

spec SetbyBag is 
quotient 

derive Bag+ by a = t[set bag] 
by E' : {add(a:, add(a;, s)) = add(a;, s)} 

where cr is the signature morphism from the signature of Set to that of Bag+ 
which is the identity on everything except the sort set which is renamed to bag. 
(For simplicity was stated using an inclusion morphism. In this example, the 
signature morphism is not an inclusion proper. However, the renaming from set 
to bag is trivial.) The morphism is not surjective thus hiding count. This speci- 
fication is structured so that count is hidden before quotienting. If this were not 
done, the specification would be inconsistent relative to the intended semantics 
on nat, since any model B = A/E' would then have to satisfy e.g. 2 = 1, by 

2 = count^(a:, add^(a;, add^(a;, empty^))) = count^(a:, add^(a;, empty®)) = 1 

and now it would be too late for hiding count®. However, the above structure 
ensures the appropriate abstraction barrier and the desired semantics. 

In an executable implementation of SetbyBag, the derive operator might be 
implemented by an encapsulation mechanism hindering outside access to count, 
and the quotient operator might be implemented by an equality predicate. 

The task is now to prove Set SetbyBag. This paper presents a calculus 
allowing a direct approach to proofs w.r.t. the general structure ( 0 , and hence 
particularly w.r.t. SetbyBag for this example. O 

The specification structure m in general, and the specification SetbyBag of 
Example ^in particular, are instances of the common forget-identify (FI) imple- 
mentation strategy of algebraic specification. Even more common is the strategy 
oi forget-restrict-identify (FRI), which involves restricting to the unique reach- 
able sub-algebra after reducting and before quotienting. 

Let E = {S, fi) and let S' C S. The set I = S \ S' might be thought of as 
designated input sorts. A A-algebra A is reachable on S' if there is no proper 
A-subalgebra whose /-sorted carriers are the same as those of A. Equivalently, 
let C X denote the /-sorted variables of X. Then A is reachable on S' 
iff for every a € A there is a term t G Ts{X^) such that cj>{t) = a for some 
homomorphism (j> : Ts{X^) —> A. Any A-algebra has a unique A-subalgebra 
which is reachable on S', denoted Rs'{A). The restriction R\^i of a relation 
R C Ax B is here taken to be ROA' x B'. For any A-homomorphism (f : A ^ B, 
the A-homomorphism Rs'{(f>) : Rs’{A) — s- Rs'{B) {qua relation) is defined to 
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be (j) range of cj) is Rs'{B)). For a 17-congruence ^ on A, the 

i7-congruence is defined as 

The semantics of the specification restrict SP on is {i?s.(A) I Ag [5P1}. 
Specifications with the restrict operator are normalisable to the form mentioned 
prefatorially, but with infinitary axioms. However, in refinement we could again 
claim restrict as a meta-operator to be applied outermost. The FRI approach 
then, is in our context represented by the specification structure 

quotient (restrict (derive {IJ,E) by incl : S) on S') by E' (2) 

where i7® = (5®, 17®), S' C S'®. Its semantics is {Rs'{A\z;^)/E' \ A G Mods{E)}. 
Note that the input sorts I are now S® \ S'. There is a range of model classes 
according to the choice of S'. The case S' = 0 gives i? 0 (A|^e) = A|i;e, and 
corresponds to FI. The case S' = S® is ground term denotability. 

Example 2. Consider the specification 

spec SetEnr is 
enrich Set by 
ops remove : nat x set ^ set 
axioms \n{x, remove(a;, s)) = false 

In this example sets as specified by SetEnr are implemented by lists where equal 
elements occur consecutively. (One might at lower levels of implementation wish 
to keep a record of insertions. Also, formulating the example in this way will 
nicely illustrate the use of referential opacity.) We do this by putting an appro- 
priate interface on basic lists, i.e. starting from 

spec List is 
sorts nat, list 

ops nil : list, _ : nat X list ^ list 

we add interface operators: 

spec List-1- is 
enrich List by 

ops empty : list, add : nat x list — ^ list, 

remove : nat x list ^ list, in : nat x list ^ bool 
axioms empty = nil 

add(a;, nil) = x :: nil 

add(x, y :: 1) = if X =nat y then x y I else y :: add(a;, 1) 

\n{x, nil) = false 

in(a;, y 1) — if x =nat y then true else in(a;, 1) 
remove)®, nil) = nil 

remove)®, 1 / :: nil) = if ® =nat y then nil else y :: nil 
remove)®, 1 / :: z ■.-.1) — if x =nat y then 

if X =nat 2 then remove)®, 1) else 2 :: I 
else y :: remove )®, 2 :: 1) 

Notice that remove is optimised by using the fact that we intend to represent 
sets by lists in which equal elements are stored consecutively. However, this 
representation has to be guaranteed by imposing a suitable abstraction barrier. 
We use the FRI construct ( 0 : 
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spec SetbyCanonicalList is 
quotient 
restrict 

derive List+ by a = t[set list] 
on {set} 

by E' : {add(a;, add(y, s)) = add(i/, add(a;, s)), 
add}®, add}®, s)) = add}®,s)} 

where a is the signature morphism from the signature of Set to that of List+ 
which is the identity on everything except for the renaming of set to list. It is 
not surjective thus hiding nil and Semantically, no model of SetbyCanonicalList 
has interpretations of nil and so the only way of generating lists is by the 
interpretations of the operator symbols empty and add which in the initial model 
will generate the canonical lists with which we intend to represent sets. However, 
we also have to restrict to the least reachable sub-algebra on {set}, because the 
reduct operator only takes away operators and entire carriers, and leaves all 
carriers which are interpretations of sorts in a{S) intact. Without the restrict 
step, models would not necessarily satisfy in}®, remove}®, s)) = false, since s would 
then range over all lists hence also non-canonical lists. Note that we must prove 
|SetbyCanonicalList] |= in}®, remove}®, s)) = false to verify that SetbyCanonicalList is 
a refinement of Set. O 

2.3 Overview of Main Results 

This paper presents sound and complete equational calculi for the FI and FRI 
structured semantics as formulated in schemes o and (0. The usefulness of 
such calculi are apparent in refinement scenarios as those in Examples H and El 
The calculi will be generalisations in a certain sense of calculi for the flat basic 
cases, as explained in the following. For a basic specification SP — {S, E) we 
have by Birkhoff for the equational calculus h 

Ib'P] 1= s = f Tx;{X)/E \=s = t-i^E\-s = t * 

Here Ts{X)/E is a classifying model of [SP]. Now let be the semantics of 
the FI structure dH). The first main result will be a calculus and a classifying 
model Tj^fi such that 

1= s = t Tj(fi 1= s = f s = t 

Secondly, recall that for the basic specification SP we have for h“, i.e. the equa- 
tional calculus augmented with the tu-rule, 

Reach^^SPj) |= s = f Gs/E |= s = t F“ s = t ** 

where Reach {{SP]) is the subclass of |5P] consisting of all algebras reachable on 
the sorts S of S, i.e. ground term denotable algebras, or computation structures. 
Now, in the FRI approach we are interested in classes of reachable sub-algebras, 
rather than sub-classes of reachable algebras. However in a flat equational setting 
these two are the same: Let Rs'{Mods{E)) = {i?s'}H) | A G Mods:(E)} and 
Reach S' {Mod s{E)) = {A £ Mods{E) \ A is reachable on S'}. 
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Fact 1. Rs'{Mods{E)) = Reach s' {Mod s{E)) 

This correspondence means that we can utilise the w-rule also when considering 
In fact it is follows that for arbitrary S' C S, 

-Rs'd'S’-f’l) 1= s = t Rs'{Ts{X) /E) 1= s = t hg, s = t 

where hg/ denotes the standard equational calculus augmented by the following 
parametrised w-rule. 

Vr : Ts{X) ^ Rs-{Ts{X)) . h r(s) = rft) 

\- s = t 

The special case S' = % is simply *. The case S' = S is in which case 
Rs'{Te{X)/E) = G^jE is the initial object of Mods{E). 

Now let be the semantics the FRI structure ©• By analogy to the basic 
case we will as a second main result devise a calculus with a parametrised 
to rule and classifying model T^fri such that 

\= s = t Tr™ 1= s = t s = t 

Analogously to the basic case above, the classifying model T^fri will in the case 
S' = S he the initial object of 

As a curio, there is an aspect in which the analogy does not hold. In the 
basic case Rs'{Ts{X)/E) is free on Xs\s> in |5P], assuming that E does not 
identify any variables. However, in general T^fri is not free on Xg\gi in or for 
except in the case S' = S. 

3 FI Approach — A Referentially Opaque Calculus 

In the following we shall develop a calculus for structured specifications of the 
form (P), for if® = (S'®, 17®) C E = {S, Q), E a, set of if-equations and E' a set 
of A'®-equations. The calculus implements a protective abstraction barrier in the 
form of referential opacity. The model class of (P) is given by {{A\s<‘)/E' \ A G 
ModR(E)j and will be denoted by throughout. We will give a calculus that 
is equationally sound and complete for AT^b 

Algebras in AT^^ are of the form {A\s^)/E' where A is a model for E. 
The classifying model is {Ts{X) /E\s^) /E' (Theorem Ej). Viewing for the mo- 
ment Ts{X)/E\s’^ as a “term-algebra” T, we directly get an “abstract” cal- 
culus for by considering on T and the classifying model T /E' . This 
is a generalisation of the basic case * in Sect. 12.31 where A F is given di- 
rectly by The abstract calculus thus operates on elements of T, i.e. 

congruence classes q of Ts{X)/E\s^. Notice that each q has the form [t]E for 
t G Tr{X)\e<‘, and recall that in general Ts‘{X) 2 Tr{X)\ec^ because for any 
sG^®,r^(V)be^ = T^(X),. 

Of course, instead of this abstract calculus we would rather have a calculus 
operating on terms. We obtain this by “opening up” the congruence classes q 
and then building a calculus over E' on T^(V)|x'e. Opening up the congruence 
classes necessitates importing the calculus E F. 
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Definition 1 (Calculus h^^). For all u,v G Ts{X)\s’= , 

E\- u = V 
importF : — 

f 

induceE' : , , ,, — , , ; {l,r) GE' ,cGTs>‘{X), (j) : Ts-{X) Ts{X)\s<^ 

I" 0(c[iJ) = 0(c[rJ) 

U = V u = W, w = V 

refl : r^i sym : trans : 

In rule induceE’ in Definition^ the contexts are T^e(X)-contexts, giving refer- 
ential opacity w.r.t. Ii;(X)|^e. This is a direct consequence of the definition of 
congruence on a i7®-algebra (Ii;(X)|^e) induced by a set of i7®-equations (E') 
(Sect. ED- In this way the abstraction barrier provided by the reduct construct 
in the semantics ^ gets its counterpart in the calculus in the form of referen- 
tial opacity. Notice that in fact c/)(c[n]) G Ts{X)\s^. However, the fact that c[n] 
is a Ti;e(Jf (-context, ensures the essential property that all operator symbols in 
the path from □ to the root of (/>(c[n]) (seen as a tree of sub-terms) are from 17®. 

Note that the calculus in Definition [D is given by the N’®-congruence on 
Te{X)\s<‘ induced by the set of if®-equations 

£;FI= (^^-W) u E’ (3) 

We shall make use of this observation later. 

All algebras in are i7®-algebras, so satisfaction by only has meaning 
for i7®-equations. However, it is necessary for completeness that the calculus con- 
siders substitutions into Ts{X)\s^ of I7®-equations, since {Ts{X) /E\s<^) /E' is in 
This is just a manifestation of the above discussion, where it was motivated 
from considering what will turn out to be the classifying model (Tjj(X) /E|^e ) /E' 
that must be defined over Ts{X)\s^. 

Theorem 2 (Soundness and completeness). Let he the semantics 
{{A\s<‘)/E' I A G Mod^(E)} of 0). For all u,v G T^e(A), 

K^^\=u = v Ts{X)/E\x:<‘/E' \= u = V 4 ^ u = v 

Proof: This follows from Theorem 0 by observations 0 and 0 □ 

Example 3. By Theorem^ the calculus can be used in verifying the refine- 
ment postulated in Example 0 namely Set SetbyBag. The calculus ensures 
the safe interaction between the set E of equations associated with Bag+ and the 
set E' of equations introduced in the quotienting step forming SetbyBag. For in- 
stance, although add(a:, add(a:, empty)) = add(a;, empty), referential opacity pre- 
vents us from inferring count(a:, add(a;, add(a;, empty))) = count(®, add(®, empty)), 
which would have given 2 = 1. The inference is illegal because count is a hid- 
den operator symbol. Referential opacity ensures soundness and is an appropriate 
abstraction barrier in the calculus. O 
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4 FRI Approach 

We now address the FRI approach in which reducts are restricted to reachable 
subalgebras on certain sorts. We consider the FRI specification structure ©• 
Again, for 27® = (S'®, J7®) C S = {S, f2), let if be a set of equations over Ts{X) 
and let E' be a set of equations over Ts^{X). Let S' C S®. The model class of 
(0 is given by {Rs'{A\s^)/E' \ A G Modj;(E)} and will be denoted by 
throughout. 

Observation 3. For S' = 0, iF™^ = 



4.1 A Restricted Calculus with u;-rule 



Algebras in are of the form Rs'{A\x;^) /E' where A is a model for E. 

The classifying model is Rs'{Tx:{X)/E\x:^)/E' (Theorem 0) . As we did for the 
FI case, viewing for the moment i?s'(Ti;(A)/if|£e) as a “term-algebra” T', we 
directly get an “abstract” calculus for by considering on T' and the 

classifying model T' /E' . The abstract calculus thus operates on elements of T', 
i.e. congruence classes q of Rs' (Ts{X) /E\s<^), and each q has the form [t]E for t G 
-Rs'(^.e(A’)|i:=). Again we obtain a term calculus by opening up the congruence 
classes and importing E h. This calculus is defined over Rs'{Ts{X)\s‘) and is 
given by the congruence on Rs'{Ts{X)\s‘) induced by the set of I7®-equations 



E™ = 



\^E 1 lfls'(rE(X)|ce) 



U E' 



Remember now that as A^^^ consists of A'®-algebras, we are interested in satis- 
fiability of A® statements, i.e. A®-equations. However, depending on S' it may 
be the case that Ts^{X) % Rs'iTsiX)]^^), in which case the calculus will not 
respond to all A®-equations. Hence, we supply an w-rule dependent on S' . 

Defiuitiou 2 (Calculus The calculus is given by the following 

single rule. For all u,v G Ts‘{X), 



LOS' ■ 



Vr : Te^{X) ^ Rs'{Te{X)\e^) . t{u) t{v) 



bCP u = 



To spell that out, let b^J be the following calculus. For all u,v G As'(Ti;(A)|i;e), 



importE : 



E \- u = V 
b|( u = V 



induceE' : 



{l,r)GE',cGTE4X), 



bp (j)ic[l]) = <(>(c[r])’ 4 > '■ Ti;e(A) ^ 



refi : 



bPu = 



sym : 



bp u = V 
bP V = u 



trans : 



lFI lFI 

pp U = W, pp W = V 

pp U = V 



Now P 5 P is given by the following rule. For all u,v G Tj;e(A), 

Vr : Te4X) ^ Rs'{Te{X)\e^) . PP t{u) = t{v) 



OJS' 



PCP u = 
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Observation 4. subsumes If S' = % then the rule u>s' adds nothing 

to hgj, so for u,v G Ts>={X), u = v u = v u = v. 



Theorem 5 (Soundness and completeness). Let iffP be the semantics 
{Rs>{A\s^)/E' I A G ModsiE)} o/ For any u,v G Ts^{X), 

ifgP \= u = V Rs' (T^i^X) /E\jjc) /E' \= u = V u = v 

Proof: The proof is split into Lemmas 0 and El below. □ 



Lemma 6 (Completeness). 

= ^ Rs-(Te{X)/E\e^)/E' '^ u = v ^ hfP m = t; 

Proof: Suppose JffP |= u = z;. By definition Rs' (Tx;{X) /E\s>:) /E' \= u = v. 
Lemma □ gives Vr : Ts-{X) Rs'{Ts{X)\s<‘) ■ [[t{u)]e]e' = [[t{v)]e]e'- 
Lemma0then gives Vr : Te^{X) — > Rs>{Te{X)\e^) ■ bp r(w) = t{v). Finally, 
the rule ujs' gives bfP u = v. □ 



Lemma 7. For u,v G Te<= {X), 

Rs'{Te{X)/E\e^)/E' ^u = v 

Vr : Te<‘{X) Rs'iTsiX)]^^) ■ [[t{u)]e]e' = [[^(u)]^]^;' 

where denotes the congruence class of w in Rs'{Te{X)/E\e^), and [q\E' 

denotes the congruence class of q in Rs' {T e{X) /E\e^) /E' . 

Proof: Suppose Rsi(Te{X)/E\e<‘)/E' \= u = v, i.e. 

yip : Te^{X) ^ Rs'{Te{X)/E\e^)/E' . p{u) = p{v) 

Define z/'b ^ Te{X) Ts{X)/E as ipEiu) = [u]e- For any r : Te'>{X) — > 
Rs'{Ts{.X)\s^), we get Rs'{.f^E\s^)°T : Ts^{X) Rs'{Te{X)/E\e‘)- 

Let fjE' ■■ Rs'{Te{X)/E\e^) ^ Rs\Te{X)/E\e^)/E' be defined as z/>£,(g) = 
[q]E'- Then tpE'°{Rs’ii’E\s’:)°T) : Te>^{X) Rs'{Ts{X) /E\ e>^) /E' , and so 

[[r(zz)]B]£;/ = iPe'°{Rs'{4!e\e-)°t){u) = 1pE'°{Rs'{i!E\E’‘)°T){v) = [[t{v)]e]e'- 

□ 



Lemma 8. Let [zz;]^; denote the congruence class of w in Rs'{Te{X)/E\e<^), 
and [q]E' denote the congruence class of q in Rs'{Ts{X) /E\ e'=) /E' . For u,v G 
Rs'{Te{X)\e^), 

[[m]e]£;' = [He]£;' bP u = V 
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Proof: Suppose [[u]b]b' = [[uJbJe/, that is, [u]e Induc- 

tion on the construction of 

induce : For some {l,r) € E' , cG T^^iX), tp : T^e(AT) ^ Rs'{Tx;{X)/E\z:‘), 
we have p{c[l]) <7’(cH) and u G p{c[l]) and v G p{c[r]). It is 

a fact that Rs'{Ts{X)/E\s^) ^ Rs'{Ts{X)\e^)/Rs'{-^1^^''^\s^)- So by Fact d] 
(f can be factored into V^£;or for some r : Tjj^{X) Rs'{Tjj{X)\z;^)j and we 
have (p(c[/]) = [t(c[/])]_e: and V^(c['t]) = Hc[t])]e- So then E G u = t{c[ 1 ]) and 
E h r(c[r]) = V, which by importE gives u = t(c[^]) and h^} r(c[r]) = v. By 
induceE' we have hp ''"(c[^]) = and trans then gives h^} u = v. 

refl : Then [u]e = [v\e- So if F it = u, which by importE gives u = v. 
sym and trans: These are dealt with by the i.h. and sym and trans of 

□ 



Lemma 9 (Soundness). U = V i^™ h U = V 

Proof: Fix A G Mods{E) arbitrarily. Suppose F™ u = v, for u,v G Te^{X). 
The way this is possible is via the only rule losg and so we must have Vr : 
Ts’^iX) Rs’{Te{X)\e^) ■ F|) t(ii) = t{v). By Lemma ITHl we then get for 
any r : ^ Rs'{Te{X)\e^) and f; : Rs'{Te{X)\e^) ^ Rs'(A\e^) that 

Fix (j)' : Te^{X) — > i?s'(Fl|i;e) arbitrarily. We now show that there exist r : 
Te^{X) ^ Rs-{Te{X)\e^) and i/- : Rs'{Te{X)\e^) ^ i?s'(Fl|i:0 such that 
(j)' = ifoT, i.e. making the left-hand part of following diagram commute: 

Te4X) ^ i?s'(?^i:WbO 




For any x G Xg, s G S'®, let a = There is some ta G Te>‘{X^) and 

p : Te<>{X^) — > A\e<^ such that p{ta) = a- We determine r by defining t{x) = ta 
{Te^X^) C Rs'{Te{X)\e^) because C Rs>{Te{X)\e^) and Rs>{Te{X)\e^) 
is a if®-algebra) . 

Determine ip as follows. Let ipp : Te{X) ^ A be determined by 

(a.\ = / P(®)> X G Xg, s G I = S^\S' 

( a_L, X G Xg, s G S\I, for some choice a± 

Define ip = i?s' (V'pbO- Then for any t G Te-{X^), ip{t) = Rs'i.iip\s-){t) = 

i’pit) = p(t)- 

So for any x G Xg, s G S®, iP{t{x)) = ip{ta) = p{ta) = a = (p'{x), and so 

(j)' = IpOT. 
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Together with * this gives <p'{u) = _ ^'(^yy Now, 

(j)' was arbitrary so we get : Ts^{X) (t^'iy)- 

Consider any (j) : Ts^{X) — > Rs'{A\s^)/E' . Fact UTI gives a (j)' : Ts^{X) —^ 

Rs’{A\e‘) such that (j) = tl>E'°4>' ■ So for all (j) : Te^{X) Rs'{A\e^)/E' we have 

(/>(u) = [(I)'{u)]e' = [4>'{v)]e' = i-e. Rs'{A\e-)/E' \=u = v. □ 



Lemma 10. Let A G ModsiE). For u,v G Rs'{Ts{X)\s‘) , 

u = z; ^ yyj: Rs'iTE{X)\E^) ^ Rs'{A\e^) . i,{u) ^(^,) 



Proof: Suppose hgj u = v, for u,v G Rs'{Ts{X)\e’^)- Induction on the con- 
struction of hgj. Fix f) : Rs'(Te{X)\e<‘) Rs'{A\eo) arbitrarily. 

importE: Since A G Mods{E) we have for any ip : Te{X) A that p{u) = 
p{v). Determine : Te{X) — j- A by 

. . _ J X a variable in Rs'{Te{X)\e<‘) 

\ u_L, X a, variable otherwise in for some choice a± 



Then for w G J?s'(T£(^)|i;»), we have pp{vj) = ip{w), and so if{u) = pp{u) = 
p^{v) = %f{v). By refl of ^Ry(A\sA 

induceE': Then u = t{c[ 1 ]), r(c[r]) = v for some (Z,r) G E',c G Te<={X) and 
T : Te^{X) Rs'{Te{X)\e^)-^y induce of we have p(c[Z]) 

p{c[r]) for p : Ts^iX) ifor : Te<^{X) Rs'^Als^^), and so 

iIj{u) = iIj{t{c[ 1 ])) ^(r(c[r])) = 

refl, sym and trans: These are dealt with by the i.h. and refl, sym and trans 



Fact 11. Let E be arbitrary. For any S-algebras A and B, let ~ be any E- 
congruence on B, and let (f> : A B /'^ be a E -homomorphism. Then there 

exists a E -homomorphism (fl \ A ^ B, such that (f) = where is the 

E -homomorphism taking any b in B to its equivalence class [6]..., in i?/~. 

Example 4. The calculus can thus be used in verifying the refinement 

postulated in Example 0 namely Set SetbyCanonicalList. Referential opacity 
ensures the safe and sound interaction between the set E of equations associated 
with List+ and the set E' of equations introduced in the quotienting step form- 
ing SetbyCanonicalList. For instance, although add(a:, add(a:, add(y, empty))) = 

add(y, add)®, add)®, empty))), referential opacity hinders the inference 
Fgf^^ in)y, remove)?/, y :: add)®, add)®, add)?/, empty))))) = 

in)?/, remove)?/, y :: add)?/, add)®, add)®, empty))))) 
which would have given F|P true = false. The inference is illegal because :: is 
a hidden operator symbol. Also, completeness is secured by the o/s'-rule for 
S' = {set}. We have F™ in)®, remove)®, s)) = false because for this to hold it 
is only required that F™^ in)®, remove)®, sr)) = false holds for all instances sr 
generated by empty and add. O 
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4.2 Coincidence of Initial Models 

Fact 12. If E is sufficiently complete w.r.t. , i.e. for every ground term 
g G Gs there is a ground term G such that E G g = g^ then the class 
has an initial object, namely G s lE\s^ jE' . 

If E is not sufficiently complete in the sense above, then may or may not 
have an initial object. 

Theorem 13. Suppose E is sufficiently complete w.r.t. if®, i.e. for every ground 
term g G Gs there is a ground term g^ G Gs<‘ such that EG g = g^ . By Fact \l“A 
the initial object Gx'/~|i;e of exists. Then for S' = S, 

Rs-{Ts{X)/E\s^)/E' ^ Gs/E\s^/E' 

Note for S' = S that Rs' {Ts{X) /E\s>=) /E' is initial in by virtue of it being 
the classifying model, and a if®-computation structure. 

4.3 Forget-Identify-Restrict (FIR) 

The FRI structure (2) is not equivalent to the structure in which the restrict 
step is done outermost, i.e. FRI is not equivalent to forget-identify-restrict (FIR), 
for a counter-example see 0 . Let iFfP = {Rs'{A\s<‘ /E') \ A G Modj;(E)}. A 
sound and complete calculus for Lff® is given by the following rule. For 
all u,v G T^e(X), 

Vr : Ts.(X) ^ RsfTs(X)ls^) . hf r(u) = r(v) 

■ hpR u = v 

Again, is subsumed by Also, for S' = S, we have that the classifying 
model of Kg}^ is isomorphic to the initial model of 

5 Discussion and Conclusions 

We are concerned with the idea of enforcing protective abstraction barriers in 
proof methods that reflect abstraction barriers in (the semantics of) programs 
and more generally in program specifications. In this paper we have shown that 
for equational forms of the FI and FRI approaches to refinement, it suffices to use 
primitive equational logic with an abstraction barrier in the form of referential 
opacity. Although we have only discussed the flat case, we claim generality in 
light of the normal form result for specifications mw and the argument that 
quotient should only be employed outermost 

The calculi devised in this paper could form a basis upon which adaptations 
of semi-automated proof systems could be done. For instance, the referential 
opacity present in the calculi suggests altering the rewrite and completion-based 
method of proof by consistency by constraining the generation of critical pairs 
according to the context in the overlap of rewrite rules. Note that the results 
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concerning the coincidence of initial models is then relevant. In particular, the 
ujs' rule of the FRI calculus is relevant for the FI case at initiality. Note also, 
that the los' rule is particularly interesting when constructors are hidden as 
in Example 0 Under certain sufficient completeness conditions, the rule states 
that it is enough to do induction over “abstract constructors”, like empty and 
add, even when functions are defined over “concrete” constructors, as is remove 
over nil and :: in Example 0 

Behavioural proofs are often simplified greatly by introducing behavioral lem- 
mas, i.e. propositions that are true according to behavioural equality but not true 
literally. The referentially opaque calculus ensures an appropriate abstraction 
barrier so that such lemmas may be inserted soundly into the proof environ- 
ment. The assumption of stability introduced in uni ensures the safe insertion of 
such lemmas too. Although the notion of stability applies at a different level of 
the refinement process, there seems to be a relationship worthwhile looking at 
between the abstraction barriers provided by stability and referential opacity. 

In the setting of behavioural refinement, semantically one does not need quo- 
tienting, and the restrict operator is also superfluous since one can speak in terms 
of partial behavioural congruences. However, for proving behavioural refinement 
steps, the calculi developed here are useful. One way of proving behavioural re- 
finement steps is to consider the behaviour of algebras [Zj. The behaviour of an 
algebra is its quotient by a behavioural congruence, and in the case where this 
congruence is partial, a restrict step has to be done. Hence we regain the FI and 
FRI situation. 

We remarked in Sect. Elthat the calculus in Definition 0 is given by the A®- 
congruence on Ts{X)\x;o induced by the set of A®-equations given by ( 0 ). 
We could therefore have defined as {C\s^/E^^ \ C G AAlg}, and expressed 
the classifying model as /E^^. In a sense this flattens the structured 

view of the semantics we had in the former characterisation of In fact we 
can flatten things even more by considering the following relation. 

Definition 3 (Referentially Opaque Congruence). For any set E of X- 

equations and any set E' of equations, define on any E-algebra A as the 
least equivalence containing 



I {l,r)GE,cGTs{X), cf : Ts{X) ^ A} U 
mc[l]),(fic[r])) I (l,r)GE',cGTs4X), ^ A\s^} 



i.e. the relation inductively defined by 



induceE : 



(j3ic[l]) (/»(c[r]) 



{l,r)GE,cGTs{X), : Ts{X) ^ A 



induceE' : 



ct>{c[l]) (/>(c[r]) 



; {l,r) GE',cG Ts^X), </> : Ts^X) ^ A|^e 



refl : 



a 



A 



a 




trans : 2 — r 

a a' 
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Note that is not (in general) a i7-congruence on A. However, if we define the 
reduct of w.r.t. a signature morphism ct : if' — > H as for congruences, 

i.e. then is a if®-congruence on A\s<>. It is easy to 

show: 

pT pT 

Fact 14. Let K = {A\s^ \ A e NAlg}. Then K = 

In a behavioural context, we can in fact use congruences of the form 
to give behaviours of algebras. Here we manage to generate the behavioural 
congruence in the manner of a congruence induced by equations, even in the 
presence of problematic hidden operators. By Fact IT^ the calculus lets us do 
proofs accordingly. 

Now having considered A|i;e/(Ri^|^e), one might ask what (A/k^)\s‘^ is, 
and in particular what A/^i^ is. For a if-algebra A and a congruence ~ on H, 
(H/~)|i;e is of course equal to Since ~ is not in general a congruence 

on A, considering an obvious naive definition of AjK,-^ wouldn’t necessarily give 
a N'-algebra. There are however, reasons to consider various other definitions of 
AjK,-^ . Let us give the as yet tentative structure Aj^,-^ the name Qa- 

For example, we could define Qa as the N’®-algebra, having as carriers Agl^,^ 
for each s G S, and standard interpretations of each / G 17®. Note that Qa then 
has carriers for all sorts in S. If we want a direct proof of the soundness and 
completeness of the calculus rather than deriving it is a sub-case of the FRI 
result, this definition of Qa enables an easy direct proof. This is due to the fiat 
structure, but also to the ability of Qts(x) = Ts{X ) to characterise 
all derivations involved in also the ones giving the equations (theorems) 
imported by importE. 

Hidden operator symbols, i.e. those in 17 \ 17® have no interpretation in the 
above tentative definition of Qa- Viewing Qa as a V-structure would demand 
that hidden operator symbols get an interpretation. These interpretations could 
be intensional operators, i.e. operators not respecting the equality predicate of 
the data type. For instance, looking to Example Ql count'^-^ would not respect 
the equality predicate given by the idempotency and associativity axioms for 
add'5'^. Considering intensional operators in data types is not an alien concept. 
Hiding and quotienting do not only occur in software development, but abound 
elsewhere in mathematics too. At the very foundations of real analysis, the reals 
are defined as a quotient of a set of Cauchy-sequences. The n’th approximant 
function is then intensional, and from a constructivist point of view, so is every 
discontinuous function ini- Indeed in a constructive setting it might be prudent 
to add intensional operators to a data type [H] (a choice operator for quotient 
types). Note then that in (H/«^)|i;e the reduct operator is now applied outer- 
most, in contrast to the FI- and FRI-models we considered earlier. One could 
speculate if there might be an adjunction between the appropriate reduct functor 
and some free functor. The free functor would then add intensional operators, 
and it would seem imperative to find a definition of structures with intensional 
operators, and in particular a definition of Qa as a V-structure, such that in- 
tensional operators are added in a manner in which they bring with them the 
appropriate abstraction barrier. 
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Abstract. In this paper, we present a formal verification framework for 
higher-order value-passing process algebra. This framework stems from 
an established synergy between type inference and model-checking. The 
language considered here is based on a sugared version of an implicitly 
typed A-calculus extended with higher-order synchronous concurrency 
primitives. First, we endow such a syntax with a semantic theory made 
of a static semantics together with a dynamic semantics. The static se- 
mantics consists of an annotated type system. The dynamic semantics is 
operational and comes as a two-layered labeled transition system. The 
dynamic semantics is abstracted into a transitional semantics so as to 
make finite some infinite-state processes. We describe the syntax and the 
semantics of a verification logic that allows one to specify properties. The 
logic is an extension of the modal /i-calculus for handling higher-order 
processes, value-passing and return of results. 



1 Motivation and Background 

Concurrent, functional and imperative programming languages emerged as a 
multi-paradigmatic alternative appropriate for the development of concurrent 
and distributed applications. Such languages harmoniously combine syntactic 
compactness together with higher semantic expressiveness. Furthermore, they 
support functional abstraction (latent computations) and process abstraction 
(latent communications). Their expressivity is significantly increased by the 
higher-order aspect i.e. functions, pointers, channels and processes are first-class 
computable values (mobile values). Consequently, they cover both data and con- 
trol aspects. 

Concurrent and distributed systems are very often subjected to safety re- 
quirements. Accordingly, it is mandatory to have analysis and validation tools 
whereby one can formally guarantee the correctness of their behaviors with re- 
spect to the expected requirements. Model-checking refers to a formal, automatic 

* This research has been funded by a grant from FCAR (Fonds pour la Formation de 
Chercheurs et I’Aide la Recherche), Quebec, Canada. 
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and exhaustive verification technique. It consists of the extraction of a model 
from a formal description of the system to be verified. That model is after- 
wards checked against a logical or a behavioral specification. Obviously, from 
the decidability standpoint, the infiniteness of the model is a limiting factor to 
the feasibility of model-checking. One solution, is the application of abstraction 
techniques, which aim to abstract an infinite model to a finite one, in such way 
that if some property holds for the abstracted model, it also holds for the original 
model. 

The main contribution of this paper is a new approach for the verification 
of higher-order value-passing processes. This approach rests on an established 
synergy between model-checking and type inference. Such a synergy is achieved 
thanks to three major results. First, we present an abstraction technique that 
aims to derive finite models (transition systems) from concurrent and functional 
programs. The models extracted are rich enough to cope with the verification 
of data and control aspects of concurrent and distributed applications. Indeed, 
starting from a concrete dynamic semantics of a core-syntax, we derive an ab- 
stract dynamic semantics. The computable values that may be a source of in- 
finiteness are abstracted into finite representations that are types. By doing so, 
a large class of infinite models will likely be reduced to finite verifiable models. 
Second, we present a temporal logic that is used to express data and control 
properties of concurrent and functional programs. Such a logic is defined as an 
extension of the propositional modal /i-calculus of Kozen H3| to handle com- 
munication, value-passing and higher-order objects. The logic is semantically 
interpreted over the abstract dynamic semantics. Third, we present a verifica- 
tion algorithm based on model-checking techniques. In fact, since the model is 
finite, the usual algorithms may be easily accommodated to the model-checking 
of our logic. As an example, we present an accommodation of the Emerson’s 
algorithm. 

Here is the way the rest of this paper is organized. Section 0 is devoted to the 
presentation of the related work. SectionElis dedicated to the presentation of the 
language core-syntax considered in this work. In Section E] we present the static 
semantics of our core-syntax. In Section El we present the dynamic operational 
semantics. The latter is abstracted in Section El The syntax and semantics of 
the verification logic is given in Section [3 A detailed discussion of the model- 
checking algorithm is presented in Section 0 Finally, a few concluding remarks 
and a discussion about further research are ultimately sketched as a conclusion 
in Sectional 

2 Related Work 

The first attempt in the design of concurrent and distributed languages mainly 
consisted in extending some imperative languages with concurrency and distri- 
bution primitives. Accordingly, this gave rise to languages such as Ada, Chill, 
Modula 2 and Occam. Lately, a great deal of interest has been expressed in 
concurrent and functional programming. This interest is motivated by the fact 
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that functional programming demonstrated an extensive support of abstraction 
through the use of abstract data types and the composition of higher-order 
functions. Accordingly, plenty of languages (Concurrent ML 13 Em, Facile El, 
LCS 0, etc.), calculi (CHOCS E3E1, TT-calculus 13113) and semantic theo- 
ries 0 il 0 13 13 13 13 has been advanced. 

Verification techniques could be structured in two major approaches: deduc- 
tive techniques and semantic-based techniques. Deductive techniques consist of 
the use of a logic together with the associated theorem prover. Verification is 
performed by deduction and is usually semi-automatic. Semantics-based ver- 
ification techniques, also known as model-checking techniques, consist of the 
automatic extraction of a model from the program to be verified. This model 
approximates the dynamic behaviors of the program. Afterwards, the model is 
checked against another model (the specification) or against a logical specifica- 
tion. Logical specifications are usually expressed as formulae in modal temporal 
logics. In ED E2] , the author addresses the verification by proposing a method- 
ology for generating semantically safe abstract, regular trees for programs that 
do not possess obvious, finite, state-transition diagram depictions. One primary 
result of this research is that one can, from infinite data sets, generate finite 
structures for model-checking. Furthermore, the methodology proposed can deal 
with various model infinity sources like computable values, infinite process and 
channel creation. In [3, the author addresses the verification by model-checking 
of a shared-memory concurrent imperative programming language. The author 
uses abstract interpretation on a true-concurrent operational semantics based on 
higher-dimensional transition systems. In 0, the author addresses the verifica- 
tion of CML programs. He presents an operational semantics for CML based on 
infinite domains of higher-dimensional automata. The author uses dual abstract 
interpretation to derive finite automata that represent sound but imprecise se- 
mantics of programs. 

Recently, a surge of interest has been devoted to the verification of higher- 
order processes in the presence of value-passing. In |P the authors address the 
specification and verification problem for process calculi such as CHOCS, CML 
and Facile where processes or functions are transmissible values. Their work takes 
place in the context of a static treatment of restriction and of a bisimulation- 
based semantics. They put the emphasis on (Plain) CHOCS. They show that 
CHOCS bisimulation can be characterized by an extension of Hennessy-Milner 
logic including a constructive implication, or function space constructor. Towards 
a proof system for the verification of process specifications, they present an 
infinitary sound and complete proof system for the fragment of the calculus 
not handling restriction. In 0 , the author introduces a temporal logic for the 
polyadic 7r-calculus based on fixed point extensions of Hennessy-Milner logic. 
A proof system and a decision procedure are developed based on Stirling and 
Walker’s approach to model-checking the /r-calculus using constants. A proof 
system and a decision procedure are obtained for arbitrary 7r-calculus processes 
with finite control. 
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3 Language 

In this section, we present the Concurrent ML core-syntax considered in this 
work. We have kept the number of constructs to a bare minimum so as to fa- 
cilitate a more compact and complete description of our verification framework. 
The BNF syntax of the core language is presented in Table d 



Table 1. The core syntax 



Exp 9 e ::= x \ v \ e e' \ rec f{x) => e (Expressions) 

I (e, e') I e ; e' I let a: = e in e' end 
I if e then e' else e!' end 

I spawn(e) j sync(e) | receive(e) | transmit (e, e^) 

I choose(e,e^) | channel)) 

Val 9 V ::= c I fn a; => e (Values) 

Cst 9 c ::= () | true | false | num n (Constants) 



Along this paper, we will write rnx^,x 2 ,...^ the map m excluding the associa- 
tions of the form Xi e-s- _. Given two maps m and m', we will write m f m' the 
overwriting of the map m by the associations of the map m' i.e. the domain of 
TO f to' is dom{m) U dom{m') and we have (m f m'){a) = m'(a) if a C dom(rn') 
and m{a) otherwise. 

4 Static Semantics 

Our intention here is to endow our core-syntax with a static semantics. The 
latter is a standard annotated effect type system. We introduce the following 
static domains: 

1. The domain of regions: regions are intended to abstract channels. Their 
domain consists in the disjoint union of a countable set of constants ranged 
over by r and variables ranged over by g. We will use p,p\ ... to represent 
values drawn from this domain. 

2. The domain of side and communication effects is inductively defined by: 



a ::= 0 | c | cr U cr' | create{p, t) \ in{p, t) \ out{p, t) 

We use 0 to denote an empty effect and c to denote an effect variable. The 
communication effect create{p, r) represents the creation, in the region p, of 
a channel that is a medium for values of type r. The term in(p, r) denotes the 
communication effect resulting from receiving a value of type r on a channel 
in the region p and out{p, r) denotes the communication effect resulting 
from sending a value of type t on a channel in the region p. The effect ct U ct' 
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stands for an effect that represent an upper approximation of a and o' (effect 
cumulation). Actually, only one of the two effects, a or cr', will emerge at the 
dynamic evaluation. We write cr □ a' = cr'Ucr". Equality on effects 

is modulo ACUI (Associativity, Commutativity and Idempotence) with 0 as 
the neutral element. 

3. The domain of types is inductively defined by: 



r ::= unit \ int \ bool \ a\r x t' \ chanp{T) \ event ^{t) \ 

The term chanp{T) is the type of channels in the region p that are intended 
to be media for values of type r. The term is the type of functions 

that take parameters of type r to values of type r' with a latent effect a. By 
latent effect, we refer to the effect generated when the corresponding func- 
tion expression is evaluated. The type event^(r) denotes inactive processes 
having potential effect (latent effect a) that are expected to return a value 
of type T once their execution terminated. 

Table El presents the static semantics of our core language. 



Table 2. The typing rules 



(cte) 

(var) 

(abs) 

(app) 

(let) 

(pair) 

(seq) 

(if) 

(rec) 

(obs) 



r < Type Of (c) 
f h c : T, 0 
T <i S{x) 

£ \- X : T, 9 

£x f lx r] h e : T',a 
£ h fn X => e : r-^r', 0 
t \- e \ T — >■ r , g c h e : r, a 
f b (e e') : t', ((cr'; a"); c) 

£\- e ■. T, a £x] [x Gen{£, r, a)] h e' : t' , a' 

£l-~let~®~=~e~iir'?~enTTTV(o7o^) 

£ \- e ■. T, cr £ \- e' ■. t' , a 
£ h (e, e) \ T X t' , (cr; a') 
f h e : r, (T £ \- e' \ t' , cj' 

She; e' : r', (a; a') 

£ \- e \ bool, a £ \- e' \ T,a' £ h e" : t, a" 
f h if e then e else e” end : r,a U a' U a" 
£x,f Hx ^ T, f ^ t^t'] h e : t', g- 
£ h rec f{x) => e : r t' , 0 
g h e : r, cr Observe{£ ,T, a) C a' 

£ \- e ■. r, a' 



The static semantics manipulates sequents of the form f h e : r, cr, which 
state that under some typing environment £ the expression e has type r and 
effect a. We also define type schemes of the form Vui, . . . , u„.r, where Vi can be 
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type, region or effect variable. A type r' is an instance of Vwi, . . . ,Vn-T, noted 
t ' < Vr;i, . . . , Vn-T, if there exists a substitution 0 defined over ui, . . . , such 
that t ' = 0T. 

Type generalization in this type system states that a variable cannot be 
generalized if it is free in the type environment £ or if it is present in the inferred 
effect: 



Gen{£,T,a) = let vi,,„ = /u(r)\(/u(£) U fv{a)) in Vui..„.r end 

where /u(_) denotes the set of free variables. The observation criterion was intro- 
duced in order to report only effects that can affect the context of an expression. 



Observe{£ , r, cr) = {c S cr | c C fv{£) U fv{r)} 

U {create{p, t') G a \ p G fr{£) U fr{r) A t' S S_T} 

U {in{p, t') G cr I p G ff{£) U fr(r) A r' G S_T} 

U {out{p, r') G cr I p G fr{£) U fr{r) A t ' G S_T} 

where S_T is the domain of types, fr{£) stands for the set of free channel regions 
in the static environment £. The function Type 0/ allows the typing of built-in 
primitives as defined in the Table 0 



Table 3. The initial static basis 



TypeOf = [ 0 1-^ unit, 

true > bool, 

false I— > bool, 

num n i— > int, 

<:Ucreate(e,a) 

cnaimel va, g,<;.unit — > cnang[a), 

receive Va, g, c, £ .chang{a)-^event,;l^J^„(Q^a) (o), 

transmit i— > \/oi, g,q,(;' .chanQ{a) x a— ^event^/uout(e,a)(w™t)) 

choose I— > Va, c"'.euent,; (a) x («), 

spawn i— > .{unit unit) -^unit, 

sync I— > Va, ?, .event^{a)-^a 



5 Concrete Dynamic Semantics 

In this section, we endow our core-syntax with a dynamic operational seman- 
tics. The latter is now standard and will be defined here as a two-layered labeled 
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transition system following First of all, we need to introduce some seman- 
tic domains and to extend the expression syntax to intermediate expressions 
(expressions that may occur during the dynamic evaluation). As illustrated in 
Table 0 we introduce six semantic categories. 



Table 4. The semantic categories 



CVal 9 cv 
Evt 9 ev 
lExp 9 i 

ECon 9 ec 
Com 9 com 
Act 9 a 



= c \ ±n X => i\k \ ev \ (cv, cv) (Computable Values) 

= (ec, cv) (Events) 

= e \ cv \ cv e\ let x = cv Ine end 

I (cv, e) I cv; e (Intermediate Expressions) 

= receive | transmit | choose (Event Constructors) 

= k?cv I ktcv (Communications) 

= com I e I A(fc) | (p(cv) (Actions) 



The semantic category CVal is ranged over by cv and corresponds to the 
domain of computable values. The semantic category Evt of events is ranged over 
by ev. An event is a pair consisting of the event constructor ec and its argument 
cv. An event constructor ec is a member of the syntactic domain ECon. The 
semantic category lExp is ranged over by i and corresponds to the domain of 
intermediate expressions. The semantic category Com is ranged over by com and 
corresponds to the domain of communications. Input communications are of the 
form klcv where fc is a channel computable value and cv is another computable 
value that will be received on the channel k. Output communications are of the 
form k\cv where fc is a channel computable value and cv is another computable 
value that will be sent along the channel k. The semantic category Act is ranged 
over by a and corresponds to the domain of actions. The silent action e denotes 
internal moves. A creation of a channel k is considered as an action and is written 
X(k). A process spawning of a value cv is considered as an action and is written 
4>(cv). 

The operational semantics is structured in two layers, one for expressions in 
isolation and one multiset of expressions running in parallel. These two layers 
involve three transition relations whose definitions are given hereafter. 



5.1 Expression Semantics 

The first relation, written _=^_ C Evt x Com x lExp, is a transition relation 
that is meant to define the communication potential of events. The rules that 
define this relation are presented in Table El 

A transition of the form ev i intuitively means that the event ev has the 
potential of performing the communication com (when sync is applied to the 
event) and then it will behave as the intermediate expression i. 
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Table 5 . The semantic rules of the relation 



(transmit) (transmit, (fe, cn)) () (receive) 



(receive, fc) cv 



(chooser) 



com . 

evi I 



(choose, (ewi, ei)2)) * 



7 (choos62) 



com . 

eV2 => ^ 



(choose, (evi, ev 2 )) i 



The second relation, written C lExp x Act x lExp, is the one that defines 
the operational semantics of processes. A transition of the form i ^ i' intuitively 
means that by performing the action a, the intermediate expression i will behave 
as i' . The rules that define this relation are presented in Table 0 



Table 6 . The concrete operational semantics of processes 



(appi) 

(betai) 

(pairi) 

(seqi) 

(chan) 

(rec) 

(ifi) 



*1 






(app2) 

tl l2 ^ *1 *2 

(fn a; => i) cv ^ i[cv/x] (betaa) 
a ./ 



cv i 
ec cv ‘■ 



> cv i 
{ec, cv) 



(b, *2) 






(*i,*2) 

./ 

_*] 



*i; *2 ^ *1; *2 

2i(fe) 

channel)) ^ k 



(pair2) 

(seqa) 



{cv, i) ^ {cv, i') 



cv, i ^ cv,i 

4>(cv) 

spawn cv ^ () 



(let 



( spawn 1) 

rec f{x) => i ^ fn X => i[(rec f{x) => i) / f] 

“ ./ 

tl ^ ^1 

O- . I 

if tl then I2 else I3 end ^ if ti then I2 else I3 end 
(ifa) if true then ti else t2 end ti 

(ifa) if false then ti else I2 end t2 
“ ./ 

tl ^ ti 



let r = tl in t2 end ^ let a; = ii in t2 end 
(leta) let a; = ci> in t end ^ t[cn/a;] 

com . 

(sync) 



com , 

sync ev ^ i 



5.2 Program Semantics 

Now, in order to define the third transition relation we need to introduce the fol- 
lowing semantic functions and domains. We denote by CE[t] the set of channels 
k occurring in an intermediate expression i. 

We view a program as a multiset of intermediate expressions. We let Prog 
be lExp-MultiSet i.e. the set of program multisets. The set of channels that 
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occur in a multiset P is obtained by including the channels in each intermediate 
expression. The operational semantics of programs is based on the evolution of 
the so-called configurations. We define a /^-configuration, and we write K :: P, 
to be a pair where the first component K is the set of all channels allocated 
up to a certain point, and the second component P is a program (a multiset of 
intermediate expressions). Let Chan be the set of channel computable values. 
The domain of iL-configuration Conf/^ is defined as follows: 



ConfK = {K :: P\K e Chan A P S Prog A CV[P] C K} 

The semantics of iL-configurations is given in terms of the labeled transition 
system (Conf/f,ComU {e}, — *■). The transition relation — s- is defined as the 
smallest subset of Conf^^ x ComU {e} x Conf/<- closed under the rules presented 
in Table Q 



Table 7. The operational semantics of programs 



(action) 

(channel) 

(spawn2) 

(communication) 

(isolation) 



• ./ 



K :-. M^KuMsgia) :: 
Mk)., 

i ^ t u ^ 



^ ^ ^ 



K 


:: {|*^ ^ K 




, CV 


()& 




k?cv ! 


k\cv 








*1 ^ *1, 


h ^ 


*2 




K :: 


: {|*i,i2|} 


K :: 




,41} 




K y. Pi^ 


K' :: 


Pi' 




K :: 


Pi U P2 ^ 


K' :: 


Pi' 


UP 2 



The function Msg extracts the set of channels that are transmitted in a 
communication . 



6 Abstract Dynamic Semantics 

In this section, we describe an abstract dynamic semantics derived from the 
concrete dynamic semantics viewed in the previous section. The motivation is to 
abstract computable values that could be a source of infiniteness. These values 
are abstracted into finite representations that are types. By doing so, we ensure 
that a large class of infinite models will likely be reduced to finite verifiable 
models. 

The abstract semantic categories are illustrated in Table 0 The abstract 
semantic category AVal is ranged over by cv and corresponds to the domain 
of abstract values. The semantic category AFExp is ranged over by o/e and 
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Table 8. The abstract semantic categories 



AVal 


9 


cv : 


:= ac 1 kchanpir) \ CV \ afc 1 (cv,cv) 


(Abstract Values) 


AFExp 


9 


afe : 


:= fn X => i 1 r-^r' 


(Abstract Functional Exp.) 


ACst 


9 


ac : 


:= c 1 int 1 bool \ unit 


(Abstract Constants) 


AChan 


9 


^chanp{r) • 


-.= k \ chanp{r) 


(Abstract Channels) 


AEvt 


9 


ev : 


:= (ec,cv) 1 eventa{T) 


(Abstract Events) 


ECon 


9 


ec : 


:= receive | transmit | choose 


(Event Constructors) 


AIExp 


9 


i : 


■.= e\ cv \ cv e\ (cv, e) \ cv, e 
1 let X = cv Ine end 


(Abstract Intermediate Exp.) 


ACom 


9 


com : 


■ ^charip{T')‘^'^ 1 ^charip (t) 


(Abstract Communications) 


AAct 


9 


a : 


:= com 1 e | X{kchanp{T)) \ 4>{cv) 


(Abstract Actions) 


Loc 


9 


1 : 


:= n 1 n.l where n £ IN 


(Locations) 



corresponds to the abstract functional expressions. The abstract semantic cat- 
egory ACst is ranged over by ac and corresponds to the domain of abstract 
constants. The abstract semantic category AChan is ranged over by kchanp{r) 
and corresponds to the domain of abstract channels. This category includes 
channel computable values together with the type of channels. The abstract se- 
mantic category AEvt is ranged over by ev and corresponds to the domain of 
abstract events. This category includes events together with the type of events. 
The abstract semantic category AIExp is ranged over by i and corresponds to 
the domain of abstract intermediate expressions. The abstract semantic category 
ACom is ranged over by com and corresponds to the domain of abstract com- 
munications. Abstract input communications are of the form kchan {t)^t and 
stand for the action of receiving values, abstracted by their type, on an abstract 
channel. Abstract output communications are of the form kchanp^T)^-^'^ and stand 
for the transmission of an abstract value along an abstract channel. The abstract 
semantic category AAct is ranged over by a and corresponds to the domain of 
actions. The abstract semantic category Loc is ranged over by I and corresponds 
to the domain of locations. 



6.1 Expression Semantics 

The rules that define the relation C AEvt x ACom x AIExp are presented 
in Table 0 

The (transmit) and (receive) rules are changed to reflect the use of abstract 
values. For example, the second one means that the event {receive, kpha,np{T)) 
has the potential of performing the communication kcfianp{T)'^T, and then behaves 
as the abstract value r. This means that the possible values received in the 
channel kchan p(r) are abstracted as their type. This abstraction ensures that 
large class of infinite models will likely be reduced to finite models. The rules 
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Table 9. The abstract semantic rules of the relation 



(transmit) (transmit, {Khanp(T),cv)) 

^ch 

(receive) (receive, kphanp(T)) 
(chooser) 



chanpir) •' 



p(-^) ■ 



com . 

ev^ i 



(ch00S62) 



(choose, (eni, et)2)) i 

com . 

eV2 => I 

(choose, (eti, ev2)) => i 



that define the relation C AIExp x A Act x Loc x AIExp are presented in 
Table [03 

For instance, the rule (betas) is defined to evaluate the application of a class 
of functions that have the same type (r— ^r') to an abstract value cv. 

6.2 Program Abstract Semantics 

As the concrete semantics, the program abstract semantics is based on the evo- 
lution of AT-configurations. Definitions of the domain of AT-configuration and the 
semantic function Msg remain the same except that the latter is defined over 
abstract values. The semantics of A'-configuration is given in terms of the la- 
beled transition system (Conf^f, ACom U {e}, — !•). The transition relation — > 
is defined as the smallest subset of Conf/^ x ACom U {e} x Conf/^ closed under 
the rules presented in Table El 

where stands for the term in which the subterm at location I will be 

replaced by cv. 

6.3 Correctness of the Abstraction 

The correctness of the abstraction is assured since there is an equivalence be- 
tween the abstract transition graph and the concrete one. In fact, by unfolding 
in the abstract graph each transition containing an abstract term by the equiv- 
alent set of transitions composed by concrete values, we transform an abstract 
transition graph into a concrete one. 



7 A Modal Logic for Concurrent ML 

In this section we introduce a logic that allows one to specify properties of 
expressions. The logic we consider may be viewed as a variant of the modal 
p-calculus m, or the Hennessey-Milner Logic with recursion. In the proposed 
logic, modal formulae can also be used to express communication, value-passing 
and result returns. This logic is semantically interpreted over the abstract dy- 
namic semantics. 
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Table 10. The abstract operational semantics of processes 



(appi) 

(betai) 

(betas) 

(pain) 

(seqi) 



Y *1 

t ^ a, 5 “ 

ll l2 *1 *2 
l.i 



(apps) 



i ^ i 
I 



CV I ^ CV I 
2.1 



(fn X — > i) cv i[cv/x] (beta 2 ) 



(T^r')(cu) Y t' 
a ./ 
n Y 

(ii,i2) A (i(,n) 

./ 

: a 7/ “ 

tl\ l2 



ec CV ^ < ec, cv > 

0 

'^(^c/iaTTp{-r) ) 

(chan) channel 0 fcchanp(T) 



(pairs) 

(seqs) 



0 



% ^ t 
I 



(ci', i) ^ (ct^, 

. a ./ 

i ^ i 

i 

. a ./ 
cv: i ^ cv:i 
2.1 



(if] 



(spawni) spawn cv () 

(rec) rec f{x) => i ^ fn x => i[(rec f{x) => i)/f] 

^ ./ 



if ii then i 2 else i 



o- .! 

l 3 end ^ if then i 2 else i 
i.i 

if true then ii else is end 



is end 



(ib 

(ifs) if false then ii else is end 



> ii 



*2 



(leti 



Y *1 



let a; = 



a; = ii in is end 



(lets 



l.i 



let a; = ii i 



let a; = ct in i end 



(sync) 



com . 

ev => z 



i'l in is end 
i i[cv/x] 



Table 11. The abstract operational semantics of programs 



(action) 

(channel) 

(spawns) 

(Communication) 

(Isolation) 



i^i 

i 



K-.-.U}^KVjMsg[a)-.-.{\i'\} 

^C^chaTip(T)) ! 



% ^ % 
I 



I ^ I 
l 



^chanp(T) ^ ^ 



^charip{T)^'^ ! ^ chan p{T)^'^'^ ^ 

il ^ il, l2 ^ l2 

I V_ 

K :: {|ii,is|} K :: {|ii [cu];, ii|} 
K Pi^ K' :: P{ 

A :: Pi U Ps ^ K' :: P[ U Ps 
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7.1 Syntax 

The syntax of formulae is presented in Table [O We refer to this logic as 



Table 12. The logic 



::= tt j ff I X I -lip lipVtp' \ tpA Ip' \ 
I <a> Ip I <return(cv)> 

I [a] Ip I lreturn(cv)'] 

I 

I vX.pj 

a k dir cv \ t 
dir ::= ! | ? 



(Boolean Expressions) 
(Diamond Formulae) 

(Box Formulae) 

(Greatest Fixpoint Formulae) 
(Least Fixpoint Formulae) 
(Actions) 

(Directions) 



The symbols V and A respectively represent negation, disjunction and 
conjunction. The symbol <a> (resp. <return{cv)>) is a modal operator indexed 
by a (resp. by return{cv)) known as the diamond. The meaning of modalized 
formulae appeal to transition behavior of a program. For instance, a program 
satisfies the formula <a> ip if it can evolve to some AT-configuration obeying ip by 
performing an action a. The actions can either be the silent action e or the com- 
munication actions k\cv or klcv. Furthermore, a program satisfies the formula 
<return{cv)> if it can return the value cv. In the same way, the symbol [a] (resp. 
[return{cvY\ ) is a modal operator known as box. A program satisfies the formula 
[a] Ip if after every performance of an action a, each result iF-configuration sat- 
isfies Ip. Furthermore, a program satisfies the formula lreturn{cv)'\ if it returns 
necessarily the value cv. Variables are ranged over by X. The formulae ^X.ip 
(resp. vX.ip) is a recursive formula where the least fixpoint operator /r (resp. 
greatest fixpoint operator v) binds all free occurrences of X in ip. An occurrence 
of X is free if it is not within the scope of a binder fvX or nX. Note that like the 
/r-calculus, all occurrences oi X in ip must appear inside the scope of an even 
number of negations. This is to ensure the existence of fixpoints. 

7.2 Semantics 

Formulae are interpreted over models of the form M = <ST , L>, where ST = 
(Conf/f , ACom U {e}, — >), and environment of the form e = [Xi i— > PP\ which 
maps variables Xi to sets of AT-configurations. Semantically, formulae of the logic 
correspond to sets of AT-configurations for which they are true. The meaning 
function |.]^ : ^ 2^^ is described in Table El The set C refers to the set of 

AT-configurations. 

Intuitively, all AT-configurations satisfy the formula tt while there are no 
AT-configurations that satisfy ff . The meaning of a variable X is simply the K- 
configurations that are bound to X in the environment e. Negation, disjunction 
and conjunction are interpreted in a classical way. The meaning of formulae <a> 
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Table 13. The semantic 



[ttlf =C 
[fflf = 0 
[Alf = e(X) 

[V>iVV>2lf = uMf 

IV>iAV>2lf = nMf 

|<e> ^]f = {C e c I 3c'.c A c' A c' e Mf } 

I [e] ^]f = {C e c I Vc'.c A c' ^ (c' e Mf )} 

|<fc!cw> = {c € C I 3c', cv' X c' A c' € |i/>[cw'/cn]]f^ f\cv < cv'} 

I [k\cv] ip}^ = {c G C \ Vc', 3cu'.c d => {d € |V>[cn'/ct;]]f^ !\cv < cv')} 

|<fc?cu> = {c e C I 3c', r where TypeOf{cv) = r. d f\d G |'*/'['r/cw]]f^} 
|[fc?cii] = {c £ C I Vc',3r where TypeOf{cv) = t. c’"-J d ^ d G IV’[''"/ci’]]f^} 
|<retMrn(cii)>]^ = {c € C | 3n e IN.c ci ^ C 2 • • • ^ cv} 

|[retMrn(cii)]]f^ = {c G C \ Vcn',3n G IN.c ^ ci C 2 • • • ^ cv' (cv = cv')} 



=ri{C7cc|M“_cc7} 
= U{c^ c c I c c 



if) are AT-configurations c that can evolve, by performing an action a, to some 
AT-configuration d such that d is part of the meaning of 'ip. More accurately, if 
the action a is an output communication action involving a value cv, then we 
must ensure the existence of a constant cv' such that cv A cv' . The preorder 
relation A is defined on abstract values as below: 



cv A cv' <1=^ 39.9{cv') = cv 

where 0 is a substitution. Moreover, the A'-configuration d must be part of the 
meaning of the formula ip in which each occurrence of cv is replaced by cv' . If 
the action a is an input communication action involving a value cv, then we 
must ensure the existence of a type r such that TypeOf{cv) = r. And the K- 
configuration d must be part of the meaning of the formula ip in which each 
occurrence of cv is replaced by the type r. 

The meaning of formulae [a] ip are ^'-configurations c such that after every 
action a, each result A'-configuration d is part of the meaning of ip. The mean- 
ing of formulae <return(cv)> are A'-configurations c that can evolve through n 
transitions such that the resulting A'-configuration is the value cv. In the same 
way, the meaning of formula [return{cv)} are A'-configurations that when they 
evolve through n transitions, the resulting AT-configurations must be the value 
cv. The meaning of the fixpoint formulae is the same as defined in the ^-calculus. 
Hence the greatest fixpoint is given as the union of all post-fixpoints whereas 
the least fixpoint is the intersection of all pre-fixpoints. 
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8 A Model-Checking Algorithm 

In this section, we present an adaptation of the model checking algorithm pro- 
posed by Emerson and Lei 0. Table O contains an algorithm that determines 
whether or not a structure M = <ST, L> is a model for a formula V'o- 



Table 14. Symbolic model-checking algorithm 



Function MC{tl>'o, M) 
var C ,Ci', 
begin 

case t/iq of 
tt: C" =C; 
ff: C" = 0; 

If: C = Ci-, 

C' =C\MC{ip,M)-, 

ipiVip2.C = MC( V>i , M) U MC{ip2 ,M)- 
^ 1 p 2 ■■ C = MC{ipi ,M)n MC{tp 2 , M) ; 

<e> V': C" = {c G C I 3c'.c A c' A c' G MC{tp, M)}; 

[e] i>:C = {ceC\ Vc'.c A c' ^ (c' G MC{tp, M))}; 

<k\cv> ijj\ C' = {c £ C \ 3c', cw'.c d Ac' £ MC'(V'[cii'/cw], M) Acv < cu'}; 

[klcvl C' = {c G C I Vc', 3cu'.c c' => c' G MC'('^/>[cu'/cu], M) Acv < cn'}; 
<klcv> tj)'. C = {c £ C \ 3c', r where TypeOf{cv) = r. 

c Af c' A c' G MC'(V>[t"/cu], M)}; 

[fc?cu] C' = {c G C I Vc', 3r where TypeOf(cv) = r. 

c c! => c' £ MC{%I)[t /cv], M)}; 

<return{cv)>\ C' = {c G C | 3n G IN.c A ci A C 2 • . • A cu}; 

[return(cu)] : C' = {c G C | Vcu', 3n G IN.c A ci A C 2 • • • A cu' => (cu = cu')}; 
pLX.d- Ci = 0; repeat C = ft; Ci = MC(V>, M); until C' = Cp, 

Ci = C; repeat C = Ci; Ci = Mcl^p, M); until C' = Cp 

end; 

return ( C' ) ; 
end. 



The algorithm follows these three steps: 

1. Convert the formula V'o to its equivalent PNF ip'^. 

2. Compute the set C of iV-configurations in which tp'^ holds. 

3. if C" yf 0 then M is a model for ipo else it’s not a model for tpo. 
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9 Conclusion 

In this paper, we have considered the problem of formal and automatic verifica- 
tion of data and control aspects for higher-order value-passing process algebra. 
Our contribution is a new approach that rests on an established synergy between 
model-checking and type inference. Such a synergy is achieved thanks to three 
results: First, starting from a concrete dynamic semantics we derive an abstract 
dynamic semantics. By doing so, we ensure that infinite models will likely be 
reduced to finite verifiable models. The source of infiniteness are the computable 
values. The solution is to abstract these values into finite representation that 
are types. Second, starting from the propositional modal /r-calculus, we define 
a logic that handles communication, value-passing , result returns, and higher- 
order objects. The logic is semantically interpreted over the abstract dynamic 
semantics. Finally, we propose a verification algorithm based on model-checking 
techniques. Since the model is finite and thanks to the soundness of abstract 
dynamic semantics, the usual algorithms may be easily accommodated to the 
model-checking of our logic. We present an accommodation of the Emerson’s 
algorithm. 

As future work, we plan to investigate abstraction techniques for dealing 
with other model infinity sources such as infinite process and channel creation. 
To that end, we will take advantage of the pioneering work done by D. Schmidt 
in E3 on the abstract interpretation of small step semantics. Furthermore, we 
are interested in tracking infinities that may arise from arithmetic manipulation. 
For that, we will explore the emerging application of Presburger arithmetic to 
handle this problem. Finally, as a downstream result of this research, we hope 
to come up with practical tools that address the verification of higher-order 
concurrent systems. 
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Abstract. We present a refinement calculus for shared- variable paral- 
lel programs. The calculus allows the stepwise formal derivation of a 
low-level implementation from a trusted high-level specification. It is 
based on a trace-theoretic semantic model that supports local variable 
declaration and fair parallel composition. Compositionality is achieved 
through assumption-commitment reasoning. The refinement rules are 
syntax- directed in the sense that each rule corresponds to a specific 
language construct. The calculus is applicable to terminating and non- 
terminating programs and supports reasoning about liveness properties 
like termination and eventual entry. A detailed example is given and 
related work is reviewed. 



1 Introduction 

Formal support for the design and verification of parallel programs has been an 
important research topic for a long time. Some of the approaches, for instance, at- 
tempt to generalize Hoare logic to a parallel setting and suggest syntax-directed 
proof systems fSJ E]- In a different approach, Back and his col- 

leagues generalize sequential programming by grouping independent transitions 
into actions that are assumed to be executed atomically 0 . The resulting Ac- 
tion systems thus inherit a lot of the theory of sequential programming despite 
the presence of concurrency. Other approaches require a more radical departure 
from sequential programming and defy easy classification, eg., ISHEIHIi. 

Independent of these efforts, traces have been realized as the adequate tool 
for modeling concurrent computation Q, E] . Our point of departure here is 
Brookes’ transition trace semantics. In P|, a combination of transition traces (se- 
quences of pairs of states) together with two straightforward closure conditions 
(stuttering and mumbling) gives rise to an elegant, fully abstract, denotational 
semantics T for a language that includes local variable declarations, synchro- 
nization and fair parallelism. The semantics validates several natural laws of 
concurrent programming, like, for instance, the commutativity and associativity 
of fair parallel composition 

C1IIC2 =r C2IIC1 [C1IIC2HIC3 =r C1IKC2IIC3] 

A.M. Haeberer (Ed.): AMAST’98, LNCS 1548, pp. 231- nT71 1998. 

(c) Springer- Verlag Berlin Heidelberg 1998 
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or the idempotence of skip 

C;skip =r skip;C =r C||skip =r C 

where C\ =r C 2 abbreviates T|Ci] = TIC 2 ]. 

In the present paper, we argue that Brookes’ transition trace semantics pro- 
vides an ideal formal basis for the study of stepwise refinement for parallel pro- 
grams. The pleasant meta-theory and robustness of T allows for the development 
of a refinement calculus that, in our opinion, constitutes a contribution even in 
the face of a large body of existing related work. More precisely, we use a no- 
tion of context-sensitive approximation for transition traces that was introduced 
in 1^ to define a syntax-directed refinement calculus that supports compositional 
reasoning, local variables, fairness and reasoning about liveness properties like 
termination or eventual entry. Q Preliminary results indicate that our approach 
also is applicable to distributed notions of concurrency. 

The next section reviews some necessary background and is mostly based 
on PE]. Section E) introduces our notion of refinement. Section El presents a 
detailed example. Section El concludes and discusses related work. 

2 Background 

2.1 Syntax and Semantics of Programs 

Our notion of program is non-standard in the sense that it allows for very ab- 
stract descriptions of computations. More precisely, some programs in our setting 
are either too abstract to be executable or do not have a direct computational 
interpretation and thus should be viewed as specifications rather than executable 
code. The most basic program components are atomic statements of the form 
V : [P, Q] , where P is a finite set of variables and P and Q are assertions • 
It is meant to describe a single atomic transition, which transforms a state sat- 
isfying P into one satisfying Q by just changing the variables in P. A random 
assignment which may set x to any natural number can thus be described by 
{x}:[tt,x > 0]. An idling, or stuttering, step is expressed as skip = 

To be able to refer to the value a variable held initially, i.e., at the beginning 
of the transition, we reserve “hooked” variables a: in Q. The meaning of the 
multiple assignment statement x,y:=x + 1,0, for example, is thus captured by 
{x, y}.[tt, X =x -1-1 A 2 / = 0]. If an assertion does not contain hooked variables it 
is called unary. Otherwise it is called binary. In a statement P: [P, Q] , P must be 
unary, whereas Q may be unary or binary. The semantics of atomic statements 
is conveniently captured by characteristic formulas. 

Definition 1. Let Var denote the set of all program variables and let l be a 
metavariable that ranges over program variables. Given an atomic statement 
V\[P,Q], its characteristic formula cfy.^pQ-^ is given by the predicate 

^ A program C is said to have the eventual entry property if control always eventually 
gets past every await statement in C. 
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cfv-.[p,Q] = P A Vt e Var — V.l=l 

where P abbreviates the substitution of all free unhooked variables in P by their 
hooked counterpart. We interpret a binary assertion Q over pairs of states (s, s') 
where s assigns values to hooked variables and s' to the unhooked ones. More 
precisely, (s, s') \= Q iff replacing the hooked variables in Q by their values in s 
and replacing the unhooked variables in Q by their values in s' makes Q true. 

For instance, the statement x,y :=x + 1,0 has the characteristic formula 

cfx,y.-x+i,o = X =x -1-1 A y = 0 A Vt G Var — {x, y}.u = i . 

More complex programs can be built using sequential and parallel compo- 
sition, disjunction, iteration, quantification, and hiding. Programs are ranged 
over hy C, D. An important extension to the standard shared- variable parallel 
language involves labels. Consider the parallel composition (7111(72. In order to 
be able to distinguish the transitions of C\ from those of C 2 , we allow for C\ to 
be enclosed in angle brackets to form ((7i)||(72. A program that contains exactly 
one subprogram enclosed in angle brackets is called labeled. A program that con- 
tains no angle brackets is unlabeled. The following grammar generates labeled 
and unlabeled programs: 

C ::= V:[P, Q] | (7i ;(72 | {D) | (7i V C 2 | (7i||(72 | (7* | (7+ | | 

Vx G I.C I new x = v in C 

D::=V:[P,Q] \ Z?i;Z?2 | V Z?2 | \ D* \ D+ \ O'- \ 

Vx G I.D I new x = v in D 

where I is some index set over the domain of x, that is, / C Dorux. Contexts, 
ranged over by E, are unlabeled programs with exactly one hole. 

E ::= [] I C-,E \ E;C | (7 V A | A V (7 | C\\E \ E\\C \ E* \ E+ \ E‘^ \ 

new X = v in E 

A context E gives rise to a program E[C], if the hole in E is replaced by C. 
Very often, we will consider a labeled statement ((7) in some context, that is, 
E[{C)] yields the labeled program that is obtained by replacing the hole in E 
by ((7). We call a context E parallel, if the hole is in the scope of a parallel 
composition, that is, if there are E\, E 2 and (7 such that E = Ai[if2||(7]. A 
context is sequential if it is not parallel. 

Transition Traces Let s, s', Si G E denote states, that is, m^pings from the 
finite set of program variables Var to values. Transition traced 

(sq, Sq)(si, S]^) . . . (Si, Sj) . . . 

have proven very useful for the definition of compositional models of shared- 
variable concurrency Iinii7i0. One such trace represents a possible “interactive” 

^ Sometimes also called potential or partial computations or extended sequences. 
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computation of a command in which state changes made by the command (from 
Si to s') are interleaved by state changes made by its environment (from s' 
to Si+i). The meaning of a program is given by a set of transition traces. To 
describe the meaning of a labeled program {Ci)\\C 2 we will consider labeled 
transition traces of the form 

(■^Oi ^0? ^i) ■ ■ ■ (-^ij '5^) ■ ■ ■ 

where each transition carries a label I from the set A = {p,e}. A transition 
labeled with p was caused by a statement inside the angle brackets, that is, by 
Cl, and is called a program transition. A transition with e is due to C 2 and is 
called an environment transition. By describing a labeled program by means of 
labeled transition traces we thus regard it as an open system while singling out 
the transitions made by a specific part of the program. In other words, (Ci)||C 2 
can be thought of as an open system whose environment is known to at least 
comprise C 2 . 

In the semantics, trace sets will be closed under two conditions: stuttering 
and mumbling. These two conditions were used in [2| to achieve full abstraction. 
They correspond, respectively, to refiexivity and transitivity of the relation 
in a conventional operational semantics. Given a set T of traces, the closure 
under stuttering and mumbling is the smallest set which contains T and 
satisfies: 

Stuttering If a(3 G rf then a{s,p, s)l3 G and a(s, e, s)/3 G and 
Mumbling 1. if a(s, I, s)(s, l\ s')f3 G then a{s, V , s')/3 G and 

2. if q:(s, I, s')(s', Z', s')/3 G then o:(s, I, s')j3 G and 

3. if a\s, I, s')(s', I, s")/3 G Ttfhen a(s, I, s")/3 G Tt 

Before the denotational semantics of programs is presented, we introduce 
some notation and define a few operations on traces and sets of traces. The 
concatenation Ti; T 2 and the infinite iteration operation are defined as 

Ti;T 2 = {a/3 I aGTiA/JGTs}!' 

T“ = jao . . . a„ . . . I Vz > O.Oi G r}^ 

T* denotes the smallest set containing T and the empty trace, closed under 
stuttering, mumbling and concatenation. Fair parallel composition is modeled 
by fair interleaving of sets of traces 

T’i||T 2 = (J{ai||a2 I ai G Ti A 02 G T 2 Y 

where a||/3 is the set of all traces built by fairly interleaving a and (3. A precise 
definition of this operation can be found in 0 and is omitted here. 



Local Variables [s|a; = u] denotes the state that is like s except that the value 
of X is updated to v. Let a = (sq, Iq, Sq)(si, li, s{) . . . (si, k, s') ... be a transition 
trace. The trace {x = v)a is like a except that x is initialized to v in the first 
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state and that the value of x is retained across points of possible interference. 
More precisely, {x = v) a is 

([sola; = v],lo, So)([si|a; = So(a;)], si) . . . ([s*|a; = s') . . . 

The trace a\x on the other hand describes a computation like a except that 
it never changes the value of x. That is, 0 !\a; is 

{soJo, [sq I a; = so(a;)])(si, Zi, [si | x = si(a;)]) . . . {si,k, [s' | x = Si(a;)]) .... 



We are now ready to present the semantics. Given a set T, let denote 
T* U T“. Let 7^1 (T) denote the set of all subsets of T that are closed under 
stuttering and mumbling. 

Definition 2. The semantic function T maps labeled and unlaheled programs 
and statements to V^{{S x A x E)°°) and is defined as where 7/|_] for 

I G A is given by 

Ti[V-.[P,Q\l = {(s,Z,s') I (s,s') h cfv:lP,Q}V 
%{{C)\ = Tp[Cl 
7i[Ci;C2l=7I[Ci];7i|C2l 
7i|Ci V C 2 I = 7i[Ci] U 7I[C2] 

7i|Ci||C2l=7i[Ci]|| 

TilC*l = {%{€})* 

TilC^l = {TilCir 

7I|Vx G l.Cl = {a I Vu G La G Ti[C[v/x\lY 
7)|new a; = u in C] = {a\a; | {x = v)a G 7/1(7]}^ 



The traces of new a; = u in C do not change the value of x and are obtained 
by executing C under the assumption that x is set to v initially and that the 
environment cannot change the value of x. 

The standard shared-variable parallel programming language that was used 
in uni, for instance, is embedded into our setting through the following abbrevi- 
ations. Note how the await statement is implemented using busy waiting. Let e 
range over arithmetic and boolean expressions and let B be a boolean expression. 



{B} 

skip = 

x:=e = 

if B then Ci else C2 = 

while i? do C = 

await B then V:[P, Q] = 



Hb,b] 

{tt} 

x:[tt, X =e] 

({S};Ci)V({-S};C2) 

{{{B};Cr-,{^B})'d{{B}-,Cr 

V:[P AB,Q]\/ {^B}^^. 



Additionally, we will use the following abbreviations. Remember that Var de- 
notes the set of all program variables. Given a set of variables V, let V{V) denote 
the set of all predicates (unary assertions) over V. Let T C 7^( Var). 



C°° = C*V 
inv e = Vor:[tt,e=e] 
inv°° e = {inv e)°“ 



pre B = Var:[tt, B^ B] 
pre P = VB G P.pre B 
pre°° P = {pre P)°° 
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C°° denotes finite and infinite iteration over C. inv e denotes the most general 
atomic transition that leaves the value of the expression e invariant, that is, 
unchanged. For boolean expressions B we will need the weaker property that 
the value of B is unchanged across a transition only if it is true. We say that B 
is preserved. 

Definition 3 . A trace (sq, Iq, So)(si, ^ij ■ ■ ■ is connected if we have s' = s^+i 
for all i > 0. The executions T\C\ of a program C are its connected transition 
traces. Let C he a labeled or unlabeled program. Then, 

^¥^1 = {a G ^[C'l I C( is connected}. 

Let Cl Qr C2 and Ci =r C2 abbreviate T\Ci} C TIC2} and TICil = ^IC' 2 ] 
respectively. Similarly for £. 

2.2 Approximation 

A very natural notion of program approximation arises through transition trace 
inclusion. inv°° x is the most general program that never changes the value of x. 
For instance, a program C always leaves the value of x invariant in all contexts 
iff C Cr inv°° x. 

Lemma 1 . 1. If C\ Cq- C2, then C\ Cg C2. 

2. Vi'.[Pi,Qi] Cq- V2'.[P2,Q2] iff cfvv.[Pi,Qi\ ^ cfv2-.[P'2,Q2\- 

3. Trace inclusion is a congruence, that is, C\ Cq- C2 implies E[Ci] ffr E[C2] 
for all E. 

4- If X ^ ff{C) then new x = v in C =r C. 

Trace inclusion between two programs C\ and C2 implies that in all possible 
contexts the executions of Ci are contained in those of C2 in the same context. 
Thus, whenever we want to do refinement in a specific context, trace set inclu- 
sion may be too strong, because it does not incorporate information about that 
particular context. In other words, C^- is not context-sensitive. We now present 
a notion of approximation that is context-sensitive and that will form the basis 
of our stepwise refinement method. 

Definition 4 . Let C\ and C2 be unlaheled programs and E he a context. C\>e 
C 2 iffE[{Ci)] ^£E[{C2)]. 

Cl =E C2 abbreviates Ci <e C2 and C 2 <e C\. Intuitively, Ci >e C2 if E 
causes C 2 to exhibit only transitions that can be matched by Ci. In other words, 
E cannot force C 2 to go beyond what Ci can do. 

Example 1. Let Ei = y.[tt,y > 0] ; [ [] ||z : =0] and E2 = y.[tt,y > 0] ; [ [] ||?/ : =0]. 
We have x:[tt,x >5] >e^ x:=x + y, and x:[tt,x >x] ^^2 x:=x + y. The second 
approximation fails because in a state with y < Q, x\-x + y has transitions that 
cannot be matched by x\[tt,x >x]. 
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Lemma 2. E[{Cx)] E[{C2)] implies E[Ci] E[C2]- 

It seems natural to attempt to distinguish contexts with respect to their “dis- 
criminating power” IHIEI- The context Ei = n\\Var:[tt,tt]* , for instance, can 
do any transition at any time. The context E 2 = [] \\inv*x, however, can only 
do those transitions that leave x invariant. Every approximation that holds with 
respect to Ei will also hold with respect to E 2 , whereas the converse is not true. 
El is more general and thus has more discriminating power. In we discuss 
how context-approximation formalizes assumption-commitment reasoning and 
thus allows for modular proofs of the approximation Ci ^£ C 2 ■ 

3 Refinement 

Our notion of refinement is based on assumption-commitment reasoning in the 
spirit of HHESI to achieve compositionality. To illustrate the main idea, consider, 
for instance, the programs C = x: =a;-|-l and C = x: =2. Assuming an initial state 
that satisfies x = 1 and a parallel context that preserves a; = 1, every transition 
of C can be matched by C and thus C can be refined into C (and vice versa). 
If, moreover, the parallel context also preserves a; = 2 we can conclude that x 
will have value 2 upon termination. Also, C preserves all predicates P for which 
P /\cfx:=2 => P- In our calculus this will be expressed by 



where A = {P \ P f\cfx-.=2 T*}. Sometimes the refinement requires the 

introduction of new auxiliary variables that, for instance, store a temporary 
result or step over an array. Suppose, for example, that we want to split the 
assignment C = a::=2-a:-|-yintoa sequence of simpler ones C = t:=2-x;x:=t+y. 
C introduces the auxiliary variable t. Obviously, not every transition oft:=2- 
x',x'.=t + y can be matched hy x\=2 ■ x + y. However, every transition that does 
not affect the new, introduced variable t still can be matched. In other words, 
C can match every transition of C modulo the changes to t. Formally, 



where P = {x = l,y = l,t = 2, x = 3} and Z\ = {P | P Acft-= 2 -x => P} n{P | P 
Acfx:=t+y P}- The following definition formalizes this idea and forms the 
heart of our calculus. To capture the partial correctness behaviour of a program, 
we will adopt the standard Hoare-triple notation. {P} C {Q} expresses that 
every finite execution of C with an initial state satisfying P will end in a state 
satisfying Q. 

Definition 5. Let P, Q be predicates and P , A he sets of predicates, that is, 
P,Q G V{Var) and P, A C V{Var). We will assume that P and A are closed 
under logical equivalence, that is, P G P and P P' imply P' G P . Also, let 
V C Vor. We say that C refines C with respect to P, P, V, Q and A, 



a; : =a; -I- 1 




x:=2 ■ x + y W 



x—3Ay—lAt—2,A 

x—lAy—l,r,{t} 



t\=2 ■ x;x\=t + y 



Q,A 
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for short, iff we have that 

1 . C approximates C in the given context, that is, if V = {x\, . . . ,Xn}, then 
for all 1 < i < n and Vi G Dom^. such that P ^ P[vi/xi, . . . ,Vn/Xn], we 
have 

^ —new xi—vi,...,x,i—v.n in {-P};[[]||pre°°r'] ^ 

and 

2 . C preserves the predicates in A, that is, 

^{P};[[]lbre”r] pre°°A and 

3 . if C and the parallel context terminate, they do so in a state satisfying Q, 
that is, 

{P} [C'Wpre^P] {Q}. 

Informally, C >%'rv expresses that assuming an initial state that satisfies P 
and a parallel context that preserves the predicates in P, then every transition of 
C can be matched by C modulo the changes to variables in V and will preserve 
all properties in A. Also, if C and the parallel context terminate, they will do 
so in a state satisfying Q. Thus, assumption-commitment reasoning is harnessed 
for a notion of program transformation. 



Refinement Rules Refinement is governed by the syntax-directed rules in 
Figures n and 121 which form our refinement calculus. Due to space limitations 
we do not prove the soundness of the rules here. However, we briefly explain the 
intuition behind some of them. 

ATOM The first premise ensures that for every transition (52,52) of an atomic 
statement A2 there is a transition (si, s^) of A\ such that S2 coincides with si 
modulo the variables in V and S2 coincides with modulo the variables in V . 
The second premise shows that Q holds immediately after termination of A2 . 
The third premise ensures that P and Q are preserved by the environment. 
PAR This is where keeping track of the assumptions P and the commitments 
A pays off and allows the formulation of a compositional rule. Guarantees 
and assumptions have to mutually imply each other. The requirements Pi 
of Cl have to be contained in the guarantees of C2 and vice versa. This 
rule is similar in spirit to corresponding rules using assumption-commitment 
reasoning (eg., 

NEW-INTRO Like rule NEW, this rule weakens the assumptions and strength- 
ens the commitments. It is a straight-forward consequence of NEW and 
Lemma IH4 below. 

WHILE-INTRO This rule allows the replacement of a finite iteration with loop 
condition B and invariant / by a while loop. Moreover, the body of the loop 
may be refined. To show termination of the resulting while loop it recasts 
the well-known total correctness rule for while loops in trace-theoretic terms 
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(3VU V . P Ac/a^) ^ (3RU V ■ P Ac/aJ {P /\cfA 2 ) ^ Q {B,Q}cr 

^1 >-p’r,v ^2 



where Ai and A 2 are atomic statements and A C {P | p Ac/aj => P} and 
3{xi, . . . , x„}.P stands for 3xi, . . . , Xn-P- 



■.QiAi (~t' ■.QA 

*-"1 *-"1 *-^2 



QA 2 r' 
Q,,r2,V9. ^2 



01,02 p,riur2,ViuV2 '-^i>0'2 



WHILE 



C' B') 



while B do C >- 



i,ruAB'},v 



while B' do C' 



V Ql-pU/i ,Q2,FiUA f-i! ^ 

*-■1 ^Pi ,ri .Oi *-"2 ^P^.ra.Va ^TAR ^ ^ PA A ^ 

C 1 IIC 2 ^5^,\^X>1up2,oiuv2 C7* (C) 



~p,r,vu{x} 



new X = V in C >- 



3 x.Q,A' 

3 x.P, 3 x.r,V 



' A P[n/a;] 
new X = V in C' 



where 3x.P = {3x.P | P € P} and A' = AVJ {P | 3a;. P £ A}. 



WEAK 



A ■.Q' a' a 

Oi 7 ~- p> p> yi ^2 

Cl C2 



where C[ Cr Ci, C 2 Cr C^, P ^ P', Q' A Q, P' P, A G A', and V C V. 



Fig. 1. Refinement rules 



and also transfers it to a concurrent setting. Remember that Var denotes all 
program variables. Given a measure m, the statement Um decreases m if it 
is not zero and leaves it unchanged if it is zero. Since each iteration brings 
m closer to 0 and the environment cannot increase m due to Fm, m must 
eventually be set to 0, which implies and thus termination of the loop. 
AWAIT-INTRO This rule allows the introduction of the synchronization state- 
ment await with condition B. To show that B eventually becomes and 
remains true, the parallel context D is shown to decrease m until it is 0 and 
then leave it unchanged. Note that the correctness of this rule relies on the 
fairness of parallel composition. 

Notation and Properties Let C >-%'p C stand for C C . To motivate 

the next abbreviation, consider the programs C'i||C '2 and C'i;C 2 and suppose 
that we want to refine C 2 . Although Ci is left unchanged, we still need to deter- 
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NEW-INTRO 






P^P\v/A x^fvjC) 
C >-ll3;tl.r,v new x = v in C' 



where 3x.F = {3x.P \ P G F} and Z\' = Z\ U {P \ 3x.P G A}. 



In the next two rules let am = Var:[tt, m= 0 —> m = 0|m <m] where B P\Q 
abbreviates {B ^ P) A. {~^B => Q) and Fm = {m < n\n G N. 

WHILE-INTRO If 



C C' and A 1) ^ Q 

and there exists an arithmetic expression m over the free variables in B and C' 
such that m > 0, and m = 0 -^B, and 

{inv* m; am ;inv*m)^ C 



then 

{{BAl}-,Cy-,{Q} while B do C'. 

AWAIT-INTRO If 

{Pi,r} [y:[BAP2,Q2]|!B] {Qi,zi} 

and there exists an arithmetic expression m over the free variables in B and D 
such that m > 0, and m = 0 => B, and 

(inv’m;amy V {inv*m;am ; inv* m)* ; {m = 0} ; inv* m A-r D. 



then 



[V-.[B A Ba, Q 2 ]\\D] ^ ^•['^2’ Q 2 ] end||B]. 



Fig. 2. Rules for introducing while and await 



mine which guarantees C\ can make under which assumptions. The statement 
{P,F} Cl {Q,A}, which abbreviates Ci >-%'r Cl, will be convenient in these 
situations. Note that in his generalization of Owicki and Gries’ Hoare logic P3|, 
Stirling employs a statement with almost precisely the same meaning. 

Consider the two sets of predicates V{Var) and B(0). V{Var) contains all 
predicates over Var. Thus, an environment that preserves all predicates in 'P( Vor) 
cannot change any state in any way. B(0) on the other hand, contains only the 
constant predicates tt and ff (and their equivalents). Since tt and ff axe always 
preserved, 7^(0) places no restrictions and thus allows the environment to change 
any state arbitrarily. 

Lemma 0 1 and 02 state that refinement with respect to an environment 
that preserves all predicates, implies execution inclusion (and vice versa). Both 
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follow directly from the definitions. Lemma 03 is an instance of the weakening 
rule. 

Lemma 3. 1. If C C then {P } ; C {P } ; C' and {P} C {Q} for 

all A. 

2 . If {P};CAe {P};C' then C C'- 

3- If Cl ffr C2 and C2 >~%'rv ^3 '^p'rv ^ 3 - j/C'2 C7- C3 and 

Cl >-fpy C2 then Cl >-fpy C3. 

Moreover, refinement is transitive. 

Lemma 4. If Ci C2 and C2 y$±y^ C3 then Ci ^^ 3 - 



General Refinement Methodology Suppose we have shown 

^QAi 

^ P.Fi *-^^+1 

for 1 < i < n. Using transitivity (Lemma^ this implies 

/'I 

O/’l r P U . /V 



which yields 

{P}\CiAe{P]-C^ and {P}Cn{Qn} 

with weakening and Lemma01. Thus, every execution a of Cn that starts in a 
state satisfying P also is an execution of Ci and whenever a is finite, the last state 
satisfies Q„. Note that this refinement methodology assumes that all Ci have a 
non-empty set of executions. We thus have to be careful not to introduce a trivial 
refinement without executions. Note, however, that all programs that contain 
the standard programming language constructs only and that are thus part of 
the language considered by Owicki and Gries ca, do have non-empty sets of 
executions. Consequently, whenever the most refined program Cn is syntactically 
well-formed in the sense of HSl, the entire refinement is non-trivial. 

4 Example 

The following example has also been used in pin! Suppose n > 1 bank accounts 
are represented by an array 4[l..n]. Let a and b with 1 < a, 5 < n be two 
distinguished accounts. We want to develop a program which computes the sum 
s over all entries in A and concurrently also transfers $20 from account a to 
account b. We start with a high-level program Ci that is easily seen to be correct. 
In the following, let SA stand for SA = SfL-^^A\i\. The first two refinement steps 
are summarized in Figure 0 
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Cl = [s:=rA II A[a],A[&]:=A[a] -20,A[&] +20] 



C 2 = new k — l,t = 0 in 



{k, tt]* ; 




{t = EA } ; 


A[a],A[b]:=A[a]- 20, A[b] +20 


_s:=EA 





C3 



new A: = 1, i = 0 in 
{k, tt]* ; 

{i = EA } ; 
s:=t 



A[a], A[b]:=A[a\- 20, A[b] +20 



Fig. 3 . Refinements Ci through C 3 



Refining Ci into C2 The first refinement step introduces two local variables 
k and t, and a finite loop that modifies these two variables only and that is 
required to terminate in a state in which t contains the sum over A. 

Let Qs be the postcondition of the left parallel subprogram and let Pa , 6 and 
Qa,b be the pre- and post-condition of the right parallel subprogram, that is, 

Qs = s = EA Pa,b = A[a] = vi A A[h] = V 2 

Qa,b = A\(^ = vi — 20 A A\h] = V 2 + 20 

where vi , f 2 are integers. Formally, this refinement is based on 

s:=EA 

=r skip* ; skip ; s : =EA (1) 

■,{t = EA}-.s: =EA. (2) 

Equation follows from the closure condition, which implies that the meaning 
of a program is invariant under the addition of finite stuttering. Approximation 
(0 is obtained by ATOM, SEQ, and STAR. Using Lemma 03 this implies 

s:=AA {k,t}:[tt,tt]*;{t = EA};s:=EA. (3) 

Another application of ATOM also yields 

{Pa.bAPa,b,Qa,b}} A[a] , A[b] := A[a] - 20 , A[b] + 20 [Qa,b,A] (4) 

where A = {Qs,t = SA}UV{{k, t, s}) and P{V) denotes the set of all predicates 
over the variables in V . With an application of PAR to @ and and then of 
NEW-INTRO we obtain 

, Qa,faAQs, + (0) ^ 

^ Pa,b,{Po..b,Qo^,b,Qs} ^2- 
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Refining C2 into C3 If the predicate t = SA is preserved by the environment, 
then the abstract assignment s : =SA can safely be replaced by s : =t. Formally, 
we have 



s 



. A , Q s , { Pa , fa , Q a , fa } 

^t=SA,{Q^,t=EA} 



S 



=t. 



The derivation of 



, Qa,faAQs,T{0) ^ 

^2 ^P„,fa,{P„,fa,Q„,,,Q4 



then is determined by the structure of C 2 and C 3 in a syntax-directed fashion and 
thus omitted. Note that according to 0) the right parallel subprogram preserves 
the predicates Qs and t = HA. More precisely, {QsA = HA} C A. 

For the remaining three refinement steps consider Figure 0 



C 4 = new fc = 1, t = 0 in 



{{k < n A !};{k, U])* ; 


' 


{t^EA}; 


A[a],A[b]-.=A[a] - 20, A[b] + 20 


s:=t 





I = k-l<nAt = rfr/ A[i] 

C 5 = new fc = 1 , t = 0 in 



while k < n do 




i + A[k] \ k\=k + 1 


{A[a],A[b]}:[P,Q] 


od; 




s:=t 





P = (k<aAk<b)\/{k>aAk>b) 
Q = A[a] =^a] -20 A A[b] =A{b] +20. 

Ce = new A: = 1, t = 0 in 



while k < n do 


await P then 


t:=t + A[k\ ■,k\=k + 1 


A[a], A[b]-.=A[a] -20,A[6] -f20 


od ; 


end 


s:=t 





Fig. 4 . Refinements C 4 through Cq 



Refining C 3 into C 4 We now equip the loop in C 3 with a termination condition 
B = k < n and an invariant I = k — 1 < n At = H^~}^ A[i]. Formally, we show 

{k,t}'-\ttjtt\* ({fc <n A 1} ;{k,t}-[tt,tt])* ■ 

Using congruence (Lemma's), we get C 3 Aq- C 4 which implies 

.Qa.bAQsPi^) ^ 

^2 ^Pa,b,{Pa.b,Qa.b,Qs} 

by Lemma 03 and the previous refinement. 
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Refining C4 into C5 This refinement step modifies the two parallel subpro- 
grams in C4 simultaneously. 

Left subprogram: We want to use rule WHILE-INTRO to replace the Kleene star 
construct by a while loop. This rule requires us to refine the loop body first and 
prove that I is indeed an invariant of the refined loop. More precisely, we show 



{Pa, , 
^ k<nAl ,{k<n.I} 



{k,t}:[tt,U]* 

t + A[k] ;k:=k + 1 



using ATOM and SEQ. Next, we show that t = EA holds upon termination 
of the loop, that is. A: > n A I =>t = EA. Moreover, we need to find an 
arithmetic expression m that allows us to prove termination of the while loop. 
Let m = cond{n + 1 > k,n + 1 — k,0) where 



cond{B, 61 , 62 ) 



ei, 

62, 



if R 

otherwise. 



We check each of the conditions of rule WHILE-INTRO. Clearly, m > 0 and m = 
0 ^ k > n. Using Lemma QJ2 to deduce trace inclusion for atomic statements 
and the congruence of T (Lemma ^3) it can be shown that 



{inv*m;am inv* ra)'^ Aq- inv m;am Ur t\=t + A[k] \k\=k + 1. 

Thus, 



{{k < n A 1} ;{k, t}:[tt,tt])* ; 
{t = EA}; 
s : =t 



,^Qs,{Pa,b,Qa.,b} 

^/.rur„ 



while k < n do 

t:=t + A[k];k:=k + 1 

od ; 
s : -t 



where F = {k < n,Qs,I,t = EA} and Fm = {m < n\n G N} using WHILE- 
INTRO and SEQ. 

Right subprogram: The above refinement is subject to the constraints F and 
Fm- However, in its current form the right subprogram does not meet these 
constraints. In particular, it does not preserve the invariant I. The transferred 
money may be counted twice: once on account a and again on b. The solution is 
to restrict the transition of the interfering component such that it cannot disturb 
the computation of the other. This is achieved by postulating that the transition 
which transfers $20 from account a to account b preserves the value of E^~^A[i] 
and thus the predicate t = E^~^A[i] for all values of k. Let 

Q = A[a] =i[a] -20 A A[b] =A[b] -L20 

R^Et^A[^ = Eh^ m- 



Then, by ATOM 



A[a],A[b]:=A[a] - 20 , A[b] + 20 
^fS,{P..b,Q..b} {Ma],A[b]}:[tt, QAR] 



( 5 ) 
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where A = {Qs,I,t = SA} U V{{k,t,s}). We refine this further by restricting 
the transfer to states in which either k < a and k < b, or k > a and k > b. Let 
P={k<af\k<b)\j{k>at\k>b). Then, by ATOM 

{A[a],A[h]Y[tt,QhR] {A[a],A[h]Y[PM- (6) 

Thus, by jnj, O and transitivity (Lemma ^ 

A[a],A[h ] : =A[a] - 20, A[b] + 20 
{A[a],A[b]Y[P,Q]. 

This concludes the refinement of the right parallel component. 

Note that the refined right subprogram now meets the constraints placed on 
it by the left subprogram. That is, P Li Pm Q A. Thus, by PAR and NEW we get 

, Qa,bAQs,T(0) ^ 

^Pa,b,{Pa.b,Qa.b,Qs} 

Refining C5 into Ce This refinement step will replace {A[a], A[6]}:[P, Q] by 

await P then A[a], A[6] : =A[a] — 20, A\f>] + 20 

using rule AWAIT-INTRO. Let m = cond{k > max{a,b),0,max{a,b) — fc-l- 1). 
Clearly, m > 0 and m = 0^{k<aAk<b)\/{k>aAk>b). The third 
condition can be shown as follows. First, note that D =t Di \/ D 2 where 

D = while k < n do 

t:=t + A[k] ;k:=k + 1 

od ; 
s:=t 



and 

Di = {{k < n} ;t : =t + A[k] ; k : =k + 1)“ 

and 

D 2 = ({A: < n};t:=t + A[k] ;k:=k + 1)* ; {fc > n};s:=t. 

Using Lemma 02 to deduce trace inclusion between atomic statements and the 
congruence of T (Lemma 03) we can show that 

Di Cq- {inv* m ; ttm inv* 'm)‘^ and 

D 2 Qt {inv*m;am inv* m)* ; {m = 0} ; inv*m. 

Note that k > n implies k > max{a, h) and thus m = 0. The third condition 
follows. Thus, 

.Qa,b^QB,P{^) 

^Pa.b,{Pa..b,Qo^,b,Qs} '-"6 



by rule AWAIT-INTRO. 
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Putting It All Together By transitivity we get 

'-"1 ^Pa,b,{Pa.t,Qa,b,Qs} 

With weakening and Lemma 01 this implies the desired result 

{Pa,b};Ci2s {PaA’Ce and {Pa,b} Cq {Qa,b A Qs}- 



5 Conclusion 

We have presented a syntax-directed refinement calculus for terminating and 
non-terminating shared- variable parallel programs. It is based on Brookes’ tran- 
sition trace semantics 0 from which it inherits the support for local variables 
and fairness. The calculus distinguishes specifications and programs neither syn- 
tactically nor semantically. Moreover, it allows for reasoning about both safety 
and liveness properties like termination and eventual entry. The calculus has 
been used for a completely rigorous verification of a class of n-process mutual 
exclusion algorithms which includes the tie-breaker, the bakery and the ticket 
algorithm m- Eventual entry was proved using a slight variant of rule AWAIT- 
INTRO. The calculus has allowed us to verify alternative, somewhat surprising 
implementations of some of these mutual exclusion algorithms. Our approach 
also is applicable to a distributed, message-passing setting in which channels 
are modeled as variables ranging over infinite queues with asynchronous (non- 
blocking) send and synchronous (blocking) receive. We have formally derived dis- 
tributed implementations of the prefix sum algorithm and of an all-pair shortest 
path algorithm for unweighted graphs. 



Related Work This paper defines refinement in terms of context-sensitive ap- 
proximation on transition traces (Definition 0 which was introduced in 0. 
Based on 0, tentative steps towards a refinement calculus for UNITY where 
taken in 0. However, the refinement relation employed there is based solely on 
trace inclusion (context-sensitive approximation) and contains neither program 
guarantees nor partial correctness behaviour. Moreover, the refinement rules are 
not syntax-directed and rather ad-hoc. The proof systems in E| both use 
rely-guarantee (assumption-commitment) reasoning to achieve compositionality. 
However, whereas Jones employs logical formulas to specify the behaviour of the 
program and its environment, Stirling uses sets of predicates (invariants) like 
we do. The work in Hg augments Jones’ work with an explicit notion of refine- 
ment. Back’s refinement calculus for Action systems 0 also models refinement 
explicitly. However, his calculus is not syntax-directed but rather a more or less 
arbitrary collection of program transformation rules. All of the above mentioned 
approaches differ from ours at least in that they lack support for fairness and 
liveness properties like eventual entry. 
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Abstract. The classical method of associating a class of algebras with 
a logical system is that of Lindenbaum and Tarski. It can be applied to 
any system with a biconditional <-> that is compositional in the sense 
that it defines a congruence relation on the absolutely free algebra of 
formulas. The method has been abstacted to provide effective criteria for 
the algebraizability of a large class of formal systems. One consequence of 
this work is a uniform method of providing a formal system with algebraic 
semantics. The main features of the theory of abstract algebraic logic and 
one of its potential applications are surveyed. 



1 Introduction 

Equational logic has played a prominent in the applications of logic in computer 
science. It has found application in a number of different areas including func- 
tional programming, term rewriting, specification theory, and relational models 
of programming semantics. Algebraic logic deals specifically the representation 
of different logical systems in equational logic, and for this reason is a promising 
area to look for new applications of logic in computer science. One of the chief 
paradigms for algebraic logic is the way that the class of Heyting algebras is con- 
structed from Heyting’s formalization of Brouwer’s intuitionism by the so-called 
Lindenbaum-Tarski process. 

In its traditional form the Lindenbaum-Tarski process relies on the fact that 
the underlying logic has a biconditional ^ that defines logical equivalence. The 
set of all sentences or formulas are partitioned into logical equivalence classes and 
then abstracted by the familiar process of forming the quotient. The resulting 
algebra is called the Lindenhaum- Tarski algebra of the original logic. The class 
of algebras one gets this way by adjoining arbitrary sets of nonlogical axioms 
becomes the subject of the algebraic study of the original logic. That this process 
actually leads to an algebra relies on the compositionality of logical equivalence. 
Nonstandard logical systems, like those that arise in computer science applica- 
tions, may not have a biconditional with the appropriate properties. And the 
traditional Lindenbaum-Tarski process is not directly applicable in these cases 
The abstraction of the Lindenbaum-Tarski process and the investigation of the 
consequences of its application to this more general class of logical systems is 
the domain of abstract algebraic logic. 
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2 Deductive Systems and Matrix Semantics 



By a language type we mean a set L of connectives or operation symbols, de- 
pending on whether we are viewing them from a logical or algebraic perspective. 
The set of formulas over C, in symbols Fm£, is formed in the usual way. Fm^ is 
the corresponding algebra of formulas. For any set X of variables, Fm£(AT) is the 
set of formulas in which only variables from X occur, and Fm£(AT) is the cor- 
responding formula algebra. The operation of simultaneously substituting fixed 
but arbitrary formulas for variables is identified with the unique endomorphism 
of Fm£ it determines. 

The basic syntactic unit of a fc-deductive system is a fc-tuple of /1-formulas; 
these are called k- formulas, li ip = {ipo, . . . , pk-i) is a fc-formula and a : Fm^ — > 
Fm£ is a substitution, then the <7 -substitution instance of p, 7(p), is defined to 
be {a(po), . . . 

Let k be any positive integer. A fc-deductive system over /f is a pair © = 
(Fm£,l- 6 ) were Fe C 7^(Fm£) x Fm^ satisfies the following conditions for all 
T, Z\ C Fm£ and p G Fm^. 



r \-(s p for all p G F; 

r h© p and A h© if for every ip G F imply A h© p] 
F h© p implies F' h© p for some F' F ; 

F h© p implies 7(F) h© 7(p) for every substitution 7. 



By a k- dimensional rule, or simply a k-rule, we mean a pair (F,p), usually 

p 

written in the form — , where F U {p} C Fm^. A /c-formula p Is a theorem of a 
^ F 

/c-deductive system 6 if h© p (i.e., 0 h© p). The rule — is a derived rule of © 

if F h© p. AT C Fm£ is a theory of © if it is closed under all derived inference 
rules. 

A large number of different logical systems are either fc-deductive systems 
or can be reformalized as fc-deductive systems. All the familiar sentential logics 
together with their various fragments and refinements are naturally formalized 
as finitary 1-deductive systems. For example, the classical and intuitionistic sen- 
tential logics, the various modal logics (including Lewis’s S 4 and S 5 ), and the 
multiple- valued logics of Lukasiewicz and Post. 

The most important example of a 2-deductive system is equational logic. A 
2 -formula {p,ip) is to be interpreted as the equation p ^ ip or, more precisely, 
as the congruence p = -p. 

Let L = {u>i -. i G I}he any language type. The axioms and rules of inference 
of the system of free equational logic are: 



(Al) {x,x)] (Rl) 



{x, y ) , 



(R2) 



{x,y), (y,z) ^ 
{x,z) 



(R3,.) 



{xQ,yo), ..., {Xn-l,yn-l) 
{luxo . . . Xn-1, ujyo . . . yn-l) ’ 



for each to G C, n the rank of uj. 
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The theories of free equational logic, in the sense defined above, are exactly 
the congruences on the formula algebras Fm^. 

The equational logic Q associated with a particular quasivariety Q over 
the language C type is an extension of the free equational logic. The axioms and 
rules of inference of Q include (Al), (Rl), (R2), and (R3i^), for w G £. If 
Q is axiomatized by a set Id of identities and a set Qd of quasi-identities, we 
adjoin the axioms {(p, 'ip), for every identity ip ^ ip G Id, and the rules 

(?0) Vo): ■ ■ ■ t i^n— It Vn—l) 

for every quasi-identity (Aj<„ A ~ ^ ~ A G Qd- 

Conversely, any extension of the free equational logic over C by new axioms 
and rules is of the form ©^*^^ Q for some quasi variety Q. 

The logic of partially ordered algebras can also be formalized as a 2-deductive 
system with 2-formulas representing the partial ordering, i.e., the 2-formula 
{p, %p) is now to be interpreted as the inequality (or more precisely the quasi- 
inequality) p < ip. The axioms and rules of inference are the same as for the free 
equational logic except that the symmetry rule (Rl) is omitted. The theories of 
free quasi-ordered logic are the quasi-orderings on the formula algebra with the 
property that each fundamental operation is monotone in each argument. 

Sequent calculi, with a fusion connective that allows the set of formulas on 
the left hand side of a sequent to be combined in a single formula, can be reformu- 
lated as 2-deductive systems. Here {p, A) stands for the sequent p\- ip. Roughly 
speaking, a sequent calculus with this property constitutes a generalization of 
quasi-ordered logic in which the fundamental operations may be anti-monotone 
with respect to the ordering in some arguments. Linear logic (with the tensor 
connective * as the fusion connective) is of this kind. 

Hyper-equational logic is an applied equational logic that in a certain sense 
encompasses in a single formalism all the applied equational logics, over all 
languages types C. It takes the form V where V is the variety of abstract 
algebras of clones. Hyper-equational logic constitutes an adequate formalization 
of all of that part of applied equational logic that deals only with axiomatic 
extensions of free equational logic (no nonlogical inference rules), and it allows 
one to reduce the study of all such applied equational logics to the study of the 
theories of a single applied equational logic. 

First-order predicate logic can be transformed into a fc-deductive system in 
much the same way, and this transformation is intimately connected with the 
classical process of algebraizing first-order logic. In the case of predicate logic we 
get a 1-deductive system, but an application of the Lindenbaum-Tarski process 
to the resulting 1-deductive system gives an applied equational logic as in the 
hyper-equational case. 

By focusing on fc-deductive systems here we are in effect restricting ourselves 
to strict universal Horn theories with a single predicate symbol, and in particular 
without equality. There is nothing essential about the restriction to a single 
predicate or the elimination of equality. Most of the main results of abstract 
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algebraic logic extend with only minor modifications to arbitrary strict Horn 
theories, with or without equality, and to an even wider class of logical systems. 
This includes, for example, the sequent calculi in their usual formulation, and 
an appropriately chosen subclass of the class of institutions (Cl) , TT-institutions 
(Ea), and general logics (CHI). 

A pseudo algebraic semantics can be provided for an arbitrary A:-deductive 
system in a uniform way by means of the A:-matrix models. The algebraic study of 
the matrix semantics for deductive systems originated with Los and Suszko m 
and was systematically developed in Pi]. 

By a k-matrix (or simply a matrix in contexts in which k is fixed) we mean 
an ordered pair 21 = (A, F^) where A is an £-algebra and is any subset of 
fc-tuples of the universe A of A. 

Let 21 = {A,F<n) and *8 = (B,F<s) be /c-matrices. 21 is a submatrix of *8 if 
A is a subalgebra of B and Tji = Tgj H . A matrix homomorphism h from 
21 to 05 is a homomorphism of the underlying algebras A and B such that 
h{F<^) C F<s or, equivalently, F<^ C h~^(F<s). By the direct product of a system 
(2li : i G I) of ^-matrices we mean the /c-matrix where 

£aii is the set of all /c-tuples (oq, . . . , Ofc-i) of elements of such 

that (oo(i), ai(i), . . . , Ofe_i(i)) G F^. for each i G I. A submatrix of a direct 
product of /c-matrices is a subdirect product if each projection is surjective. 

Let 21 be an arbitrary fc-matrix over the language C. 21 defines for each set X 
of variables a semantic consequence relation l= 2 i(x)C T’(Fm^(A)) x Fm^(A) over 
£. Let F U {v?} C Fm^(A) and ip G Fm^(A). Then F \=<n(x) £ is the relation 
that holds between F and p if, for every interpretation d of the variables in X 
in A, 

V'^(a) £ F< 2 i for every tjj G F implies £^(a) S F^. 

For any class K of /c-matrices, F I=k(jc) £ iff £ l= 2 i(x) £ for every 21 G K. It is 
clear that if X and Y are sets of variables such that X C Y and if £ U {<p} C 
Fm^(A), then £ \=<^(^x) £ iff £ l=a(v) £■ Thus in the sequel we omit explicit 
reference to the set of variables and write simply F \=% p. 

Let © be a /c-dimensional deductive system. A fc-matrix 21 is called a matrix 
model of © if £ he £ implies £ \=% p, for every set X of variables every 
£U{<p} C Fm^(A'). A set £ C A^ is an G-filter on A if (A,£) is a model of ©. 
The set of all ©-filters on A is denoted by Fi^ © The class of matrix models of © 
is denoted by Mod ©. The ©-matrices are exactly the models (in the first-order 
sense) of the universal Horn theory associated with ©. 

3 The Abstract Lindenbaum- Tarski Process 

The abstract Lindenbaum-Tarski process can be applied to obtain a more algebra- 
like semantics for fc-deductive systems. This entails abstracting the notion of 
logical equivalence. We adapt Leibniz’s well-known definition of equality for 
this purpose. Let 21 = (A, £) be an arbitrary matrix. Define the binary re- 
lation £ on A by the condition that (a, b) G F if, for every formula 
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if{x,u) S Fm£ with a single variable x and an arbitrary number of parameters 
U — (uq , . . . , Un— 1 ) ; 

ip^{a,c)€F iff ip^{b,c), for every c = (cq, . . . , c„_i) S A". 

f2^F is a congruence relation on A, abstracting Frege’s principle of compo- 
sitionality for logical equivalence. f2^ F is called the Leibniz congruence of 
F’ on A. It is the largest congruence on A compatible with F in the sense 
that a = b (mod 17^ F) and a G F implies b G F The quotient matrix 
21/ fi^ F = (^A/ Fj F') is called the reduction of 21 and is denoted 
by 21*. 21 is reduced if 21 = 21*. If 6 is a deductive system we denote the class of 
all reduced models of 6 by Mod* &, and Alg Mod* 6 is the class of underlying 
algebras of reduced models. 

In abstract algebraic logic the /c-deductive systems are classified into the 
algebraic hierarchy. It reflects the degree to which the reduced matrix semantics 
of a system behaves like a real algebraic semantics. At the top of the hierarchy are 
the so-called algebraizable deductive systems introduced in P], and the various 
weaker notions considered in 0 ini. The paradigms here are the 1-deductive 
systems of classical and intuitionistic logic. In this case Alg Mod* © is respectively 
the variety of Boolean and the variety of Hey ting algebras. In addition to the 
classical and intuitionistic propositional logics, most modal logics, the multi- 
ple-valued logics of Lukasiewicz and Post, and the first-order predicate logic 
are algebraizable. The applied equational logics are the primary examples of 
algebraizable 2-deductive systems. 

Lower down in the hierarchy come the protoalgebraic and equivalential sys- 
tems (00111 101). Here the class of reduced matrix models Mod* © still exhibits 
strong algebra-like characteristics, but cannot be replaced by a Alg Mod* ©, as 
is the case for finitely algebraizable systems. Almost all deductive systems that 
have appeared in the literature are protoalgebraic. The equivalential systems are 
more specialized but still constitute a much broader class then the algebraizable 
ones, especially among 2-deductive systems. For simplicity the following survey 
of the algebraic hierarchy is formulated only for 1-deductive systems. 

Let A{x, y) = { Si{x, y) : i G I } he a, finite set of 1-formulas in two variables. 
A{x, y) is called a protoequivalence system for a 1-deductive system © if the 
following are theorems and a derived rule of ©. 



A{x,x), 



X, A{x,y) 

y 



Theorem 1. Let & be a deductive system. The following conditions are equiv- 
alent. 

(i) © has a protoequivalence system. 

(ii) The Leibniz congruence operator is monotonic on & -filters, that is, for every 
C-algebra A and all F,G G Fi^ 6, F C G implies F C G. 

(iii) Mod* © is closed under subdirect products. 
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A deductive system © is protoalgebraic if any one, and hence all, of the above 
conditions hold. Almost all the deductive systems considered in the literature 
are protoalgebraic. One which is not is the 1-deductive system defined by the 
class of all matrices of the form (A, F) where A is a distributive lattice and F 
is a lattice filter. Protoalgebraicity seems to be the minimal property required 
in order for Mod* & to behave like a reasonable algebraic semantics. 

E{x, y) is an equivalence system for a 1-deductive system © if it is a protoe- 
quivalence system satisfying the additional conditions 



E{x,y) 

E{y,x)' 

E{xo,yo), . . . ,E{Xn-l,yn-l) 
E{XXq^ . . . , Xn—lj Xyo^ ■ ■ ■ : yn—l') 



E{x,y),E{y,z) 

E{x,z) 

for all A G £ {n is the rank of A) 



Theorem 2. The following conditions are equivalent for every deductive system 
© 

(i) © has an finite equivalence system. 

(ii) The Leibniz congruence operator has the following properties. 

(a) monotonic on & -filters; 

(b) commutes with inverse matrix homomorphisms in the sense that, for any 
h:B ^ A andE e Fi^, h~^{F) = h~^{n^ E). 

(c) continuous in the sense that L2^(\Ji € IFi) = Ei for any set 

of & -filters that is upper directed under inclusion. 

(iii) Mod* © is closed under submatrices, direct products, and ultraproducts {i.e., 
forms a quasivariety in the sense of Mal’cev; mi)- 

A deductive system is finite equivalential if it satisfies any of the above con- 
ditions. The paradigms here are the applied quasi-ordered logics and the special 
sequent systems consider above, in particular the 2-deductive fragment of linear 
logic mentioned above. 

In the sequel we use K ^ L as an abbreviation for a set of equations { Ki « 
Xi : f G / }. Let © be a finitely equivalential deductive system and E{x,y) a 
finite equivalence system for © . Then the equational consequence relation of the 
quasivariety Alg Mod* © can be faithfully interpreted in the consequence relation 
of © in the sense that, for all AT « L U {</3 «'(/'} ^ Fm^, 

K ~ L t~A|g ~ "0 

iff { E{k, A):k~AgAT«L} he E{ip, fj). (1) 

The equivalence system E is said to be invertible if there is a finite set of equa- 
tions in two variables that defines a faithful interpretation of the consequence 
relation of © in the equational consequence relation of Alg Mod* © that is the 
inverse of ©• 
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Theorem 3. The following are equivalent for any deductive system &. 

(i) © has an invertible finite equivalence system. 

(ii) The Leibniz congruence operator on 6 -filters is monotone, continuous, and 
injective. 

(iii) Mod* & is a quasivariety in the Mal’cev sense and each matrix in Mod* © 
is uniquely determined by its underlying algebra. 

© is finitely algebraizable if it satisfies any of the conditions of this theorem. 
The quasivariety AIgMod* © is called the equivalent algebraic semantics for ©. 

4 Interpolation and Modularity 

Certain properties of specification languages concerning the notion of modular- 
ity of data type specifications can be conveniently formalized in terms of the 
interpolation properties. Some references to the computer science literature on 
this subject are |Sl rTH fTTil mi [211 BT| . 

We survey here the connection between two basic interpolation properties 
and two semantical amalgamation properties, in the context of abstract algebraic 
logic. Details can be found in 0 

© is a fc-deductive system over an arbitrary language C. Recall that For 
each set of (sentential) variables W, denotes the set of fc-formulas 

over W in £. For ip G Yra^^fW) and T C Fm£(bF), vax p and varF denote 
respectively the set of variables occurring in p and in at least one tp G T. For 
any T,AC Fm£(bF), T he ^ will mean T he T for all p G A. T he p means 
that r he(w) T for any W such that T U {p} C Fm^(VF). In the following 
definition the set W of variables is arbitrary but fixed. 

Definition 1. Let 6 be a k-deductive system and W a set of variables. Let 
r, A C Yirij-fW) and p,ip G Fm£(bF). 

(i) © has the Craig interpolation property if, whenever 
(var r n var p) ^ 0, we have 

r \-Q p rnvs,T ^ t)- 

(ii) © has the Maehara interpolation property if, whenever 
varF n var(Z\ U {</?}) yf 0, we have 

T,AV-qp i’' T',A he p). 

The first explicit appearance of the Maehara interpolation property in the 
literature appears to be in H31 where the property is established for the intu- 
itionistic propositional logic. The term “Maehara interpolation property” now 
seems to be commonly used for this interpolation property in the literature of 
sentential logic. In the computer science literature it has been called both the 
“strong” interpolation property and the “modularization” property ip rn71l2Tj l. 
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Definition 2. Let L he any category of k -matrices or L-algebras. 

(i) Assume L-free extensions exist. L has the categorical flat amalgamation prop- 

erty if injections are transferable over free injections in L, i.e., for all 21,®, 
£ G L and every injective matrix homomorphism ^ 21 and free injec- 
tive matrix homomorphism g: € ®, there exists o S) G L, a free injection 

h: 21 D and an injection k:^ ^ D such that ho f = ko g. 

(ii) L has the categorical modular amalgamation property if injections are trans- 
ferable over all matrix homomorphisms in L, i.e., for all 21, ®,G1 G L, every 
injective matrix homomorphism ^ 21 and every matrix homomorphism 
g: £ ^ ®, there exists D G L, a h:iA ^ D , and an injective k:^ ^ D such 
that ho f = k o g. 

A clean connection between the interpolation and amalgamation properties 
seem to require that we go at least up to the level of equivalential systems in 
the algebraic hierarchy. 

Theorem 4. Let 6 be an equivalential deductive system. The following are 
equivalent. 

(i) © has the Craig interpolation property. 

(ii) Mod 6 has the categorical flat amalgamation property. 

(iii) Mod* 6 has the categorical flat amalgamation property. 

Assume now that © is finitely algebraizable, and let Q = Alg Mod* © be its equiv- 
alent algebraic semantics. Then all three of the above conditions are equivalent 
to 

(iv) Q has the categorical flat amalgamation property. 



Theorem 5. Let © be an equivalential deductive system. The following are 
equivalent. 

(i) © has the Maehara interpolation property. 

(iii) Mod* © has the categorical modular amalgamation property. 

Assume now that © is finitely algebraizable, and let Q = Alg Mod* © be its 
equivalent algebraic semantics. Then both of the above conditions are equivalent 
to 

(iv) Q has the modular amalgamation property. 
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Abstract. The structuring of the specification and development of dis- 
tributed systems according to viewpoints, as advocated by the Reference 
Model for Open Distributed Processing, raises the question of when such 
viewpoint specifications may be considered consistent with one another. 
In this paper, we analyse the notion of consistency in the context of for- 
mal process specification. It turns out that different notions of correctness 
give rise to different consistency relations. Each notion of consistency is 
formally characterised and placed in a spectrum of consistency relations. 
An example illustrates the use of these relations for consistency checking. 



1 Introduction 

There is a growing awareness in distributed software engineering that the de- 
velopment of complex distributed systems can no longer be seen as a linear, 
top-down activity. It is now widely advocated to structure the specification and 
development of such systems according to, so called, viewpoints. Prominent ex- 
amples of viewpoint oriented development models are the Reference Model for 
Open Distributed Processing (rm-ODP) |2j, the Viewpoint Oriented Software En- 
gineering (vose) framework 0, and object oriented analysis and design models, 
such as P|. 

In contrast with the traditional ‘waterfall’ model of development, where an 
initial, abstract specification is stepwise refined to a final, concrete specifica- 
tion, viewpoint models allow specifiers to split up the complete specification of 
a complex system into a number of viewpoint specifications each concentrating 
on a particular concern or aspect of the system. Individual viewpoint specifica- 
tions can then be developed further relatively independent of one another. The 
RM-ODP, for example, defines five viewpoints — enterprise, information, compu- 
tational, engineering, and technology — from which distributed systems may be 
described. 

One of the main problems in any multiple viewpoint approach to specification 
is defining and establishing that the various viewpoint specifications are con- 
sistent with one another. This problem becomes particularly challenging when 
we consider that different specification techniques may be applicable to different 
viewpoints. The ODP information viewpoint, for example, can be expressed quite 
naturally in Z, whereas LOTOS is considered more suitable for the computational 
viewpoint m- 
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In some viewpoint models consistency is defined as a simple set of ^ntac- 
tic constraints. The Booch method |2| (supported by the Rational Ros^ tool) 
for object oriented design, for example, requires that there is a corresponding 
operation in a Class Diagram for each message in a Sequence Diagram. Here, 
however, we are concerned with behavioural, or semantic, consistency. 

In this paper, we analyse the consistency problem for a substantial number of 
process algebraic specification techniques. Process algebra provides a rich theory 
for the specification of behaviour. Therefore, this work should provide the for- 
mal foundations for consistency checking techniques for more ‘user-friendly’ be- 
havioural specification notations, such as State Charts and Sequence Diagrams. 
In fact, the consistency relations identified in this paper are directly applicable 
to all specification formalisms of which the semantics can be expressed using 
labelled transition systems, traces, refusals or failures, e.g., CSP 0, CCS |IS|, 
and Object-Z |Sj. 

2 Process Specification 

We introduce a simple process algebraic language similar to CCS and CSP for the 
description of process behaviour. The syntax is borrowed from LOTOS Q: 

V stop \a-,V\V\\V\V\[k]\V\ hide H in P | X 

Here it is assumed that a set of action labels L is given. Then, a G LU{r}; r ^ L 
is the unobservable, or internal, action; A C L; and X is a process name. We will 
assume that a definition exists for each process name used. Process definitions 
are written X := p, where p is a behaviour expression that can again contain 
process names, including possibly X itself, thus making the definition recursive. 

Semantically, process behaviour can be modelled in many different ways. In 
the following, we consider labelled transition systems, traces, refusals and some 
combinations of the latter two. 



2.1 Labelled Transition Systems 

Definition 1. A labelled transition system is a structure {S,L, — >,sq), where 
S is a set of states, L is a set of action labels, — > C S x {L U {r}) x S is a 
transition relation, and sq G S is the initial state. 

Each behaviour description is associated, in the usual manner, with a labelled 
transition system through the axioms and inference rules given in Table 0 

Often labelled transition systems are considered to be too concrete to ab- 
stractly specify system behaviour. It is therefore customary to interpret process 
specifications via, so called, implementation relations ini3]. These are relations 
between a domain of implementations and a domain of specifications that for- 
malise a particular notion of correctness. They may, for example, abstract from 

^ Rational Rose is a trade mark of the Rational Software Corporation. 
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Table 1. Inference rules 





h OL\p-^p 


p-^p' 


b P D 


q^q' 


h p 0 g ^ g' 


p-^p' , ct ^ A 


h p |[A]| q-^p' |[A]| g 


q-^q\a<^ A 


bp [A] g^p|[A]| q' 


p-^p',q^q',a 


e Ahp|[A]|g^p'|[A]|g' 


p-^p' , oi ^ A 


h hide A in p hide A in p' 


p-^p' , a £ A 


h hide A in p hide A in p' 


p^p',X-.= p 


h X^p' 



the internal behaviour of an implementation and only verify whether the ex- 
ternally observable behaviour corresponds to the behaviour described in the 
specification. 

2.2 Traces and Refusals 

Let L* denote the set of all strings over the set of observable actions L. Elements 
of L* are also called traces. The empty string, or empty trace, is denoted e and a 
is used to range over L*. Concatenation of traces is represented by juxtaposition. 

In Table |2| the notion of transition is generalised to traces. We further define 
Tr(p), the set of traces of a process p, Out{p, cr), the set of possible actions after 
the trace cr, and Ref{p,a), the sets of actions refused by a process p after the 
trace a: 

Definition 2. 

Trip) =^{a€h*\p^} 

Out{p, cr) {a G L I 3p' • p=^p' and p' } 

Refip, a) {X C L | 3p' up=^p' and Va G X • p' } 



Table 2. Trace relations 



Notation Meaning 



=> ( — ^ )*, i.e., the reflexive and transitive closure of 

p=^p 3q,q »P=^q =^P 

p =t> 3p • p p' 

^p'»p^p' 



2.3 Implementation Relations 

A large number of implementation relations has been defined over labelled tran- 
sition systems [3; each one capturing a different notion of correctness. In this 
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paper, we consider only the most prominent trace and/or refusal based imple- 
mentation relations from process algebra. Our selection is largely based on a 
pioneering study on implementation relations by Brinksma et al. Pj. 

Definition 3. Let p, s G V be processes, then we define the following relations: 



name 


denotation 


definition 


trace refinement 


P<trS 


Tr{p) C Tr{s) 


trace equivalence 


P«trS 


Tr\p) = Tr\s) 


conformance 


p conf s 


V(T G Tr(s) • Ref{p,a) C Ref{s,a) 


reduction 


pred s 


P <tr s and p conf s 


extension 


pext s 


s<trP and p conf s 


testing equivalence 


P^teS 


preds and sredp 



Perhaps the simplest implementation relation is trace refinement. It only 
verifies that the implementation cannot perform sequences of observable actions 
(traces) that are not allowed by the specification. This is useful for capturing, 
so called, safety properties. However, we cannot use it to specify that anything 
must happen. Trace equivalence is slightly stronger in that it requires that the 
implementation and specification have the same possible traces. Another notion 
of validity is captured by the conformance relation (conf), derived from testing 
theory. It requires for each trace of the specification, that the implementation 
can only refuse to do whatever the specification refuses after that trace. The 
reduction relation (red), sometimes referred to as testing preorder or failure 
preorder, is the intersection of trace refinement and conformance. It gives rise to 
a specification technique with which one can specify both that certain actions 
must happen and that certain traces are not allowed. The extension relation, 
on the other hand, allows that more traces are added in the implementation, as 
long as the implementation is still conformant to its specification. The strongest 
implementation relation considered here is testing equivalence. It requires that 
the observable behaviour of implementation resp. specification cannot be distin- 
guished through external testing. 

Process specifications, and in fact any other trace/refusal based specifica- 
tions, can be interpreted under any of the implementation relations defined above 
to yield a different specification formalism m for system behaviour. In a mul- 
tiple viewpoint approach to specification potentially all these formalisms may 
be used simultaneously. Below, we show how different viewpoints may require 
different implementation relations to adequately capture their intended meaning. 



2.4 Example Viewpoint Specifications 

Consider the specification of a simple vending machine using the ODP view- 
points. (It is outside the scope of this paper to give definitions for the five ODP 
viewpoints. The interested reader is referred to HD or the standard itself 0.) 

From the enterprise viewpoint one might like to specify the following 
policies, divided in permissions and obligations: 
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Permissions The system is permitted to exhibit any of the following traces 
of behaviour: {e, coin, coin. coffee, coin. tea, coin. coffee. coin, coin.tea.coin, . . .}. 
This could be captured by the following specification, when interpreted under 
the trace refinement relation (<tr): 

Perm := coin; (coffee; Perm [] tea; Perm) 

Obligations The system user is obliged to always first insert a coin into the 
machine. The following specification captures this. Here we have decided to 
interpret the specification under the extension relation (ext), so the specifi- 
cation does not prohibit any other behaviour. 

Obi := coin; stop 

From the computational viewpoint the system is viewed as a computa- 
tional object providing a computational interface upon which its environment 
(the user) can invoke one of three operations: coin, coffee and tea. 

Comp := t; coin; (t; coffee; Comp [] t; tea; Comp) 

[] t; coffee; Comp 
[] t; tea; Comp 

If the coin operation is invoked, the system will respond by offering its envi- 
ronment either coffee or tea. In case one of the other two operations is invoked 
by the environment, the system will return to its initial state. Non-determinism 
is used to indicate that not all of these operations need to be present in an 
implementation. Therefore, any reduction (red) is considered a correct imple- 
mentation. 

From the engineering viewpoint the system might be viewed as being 
composed of two components, a money handler (MH) and a drinks dispenser 
(DD), that communicate via a channel. As the channel is only introduced for 
internal communication it is hidden from the environment. The following speci- 
fication of the engineering viewpoint is interpreted under the testing equivalence 
relation («te)- 

Eng := hide channel in MH |[channel]| DD 

MH := coin; channel; MH 

DD := channel; (coffee; DD [] tea; DD) 

The obvious question now is whether all these viewpoint specifications are 
consistent with one another. 

3 Consistency 

The purpose of this section is to define (necessary and sufficient) conditions for 
viewpoint specifications to be consistent. For the moment we will concentrate 
on binary consistency, i.e., consistency between two specifications. Informally, 
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we call two specifications consistent if, and only if, they have at least one im- 
plementation in common, i.e., if there is an implementation that satisfies both 
specifications. The definition of consistency is thus parameterised on the notion 
of correctness that each specification is subjected to. As we have shown above, 
different viewpoint specifications may be subjected to interpretation under dif- 
fering implementation relations. Therefore, each combination of implementa- 
tion relations, impj^, imp 2 , gives rise to a different consistency relation, denoted 
C- 

'-'imp2^,imp2 ■ 

Definition 4. Let imp]^,imp 2 be implementation relations, then eonsisteney 
between speeifieations subjeet to imp]^ and speeifieations subjeet to imp 2 is a 
binary relation Cimpi.impj sueh that, for any S\,S 2 G V, 

^impj^ ,imp2 S2 G V •pimp^ Si Apimp2 S2- 

Considering <tr, ~tr, conf, red, ext and «te as instantiations for impi and 
imp 2 in the definition of binary consistency, we obtain 36 different notions of 
consistency. Whenever impi = imp 2 , we speak of balaneed eonsisteney, denoted 
^hnp- Section mi deals with these (six) cases. The issue of unbalanced consis- 
tency, the remaining 30 cases, is discussed in section 13.21 Omitted proofs may 
be found in mi- 
lt is useful sometimes to use the following alternative characterisation of 
consistency as the composition of two implementation relations: 

Proposition 5. For any two implementation relations impi,imp 2 , 

Cimpi.impa = imp)"^ ° imp2 . 



3.1 Balanced Consistency 

This section largely summarises results from EHI, where we considered only the 
balanced consistency problem. 

Since both specifications (in the binary case) are subject to the same imple- 
mentation relation, binary, balanced consistency is a symmetric relation. 

Proposition 6. For any implementation relation imp, = (C^np)”^- 

We consider the six cases of binary, balanced consistency, denoted for 
imp G {<tr, ~tr, conf, red, ext, «te}- For two of these, imp is instantiated with 
an equivalence relation. It is easily established that the consistency relation 
is equal to the implementation relation in those cases. Of the four remaining 
balanced consistency relations, three turn out to hold for any two specifications. 



Theorem 7. 
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3 . = r xV 

I Cllt = VxV 
5. cL = vxr 

Proof. The first two results follow from the symmetry and transitivity of ~tr 
and «te- The remaining cases are proved by exibiting a bottom element in the 
respective refinement lattices. Such a bottom element is presented by a pro- 
cess T such that Vs • T imps. The existence of such a bottom element implies 
consistency, since si S 2 • p imp si A p imp S2- 

3. Vs • stop<tr s, hence stop is the required bottom element. 

4. Define a process RuriMhat can perform all possible traces and never refuses 
any action, as follow^: 

Run := if{a; Run | a G L} 

Observe that, Vcr G L* • i?e/(Run, a) = { 0 }. Therefore, Vs • Run conf s. 

5. The process Run, defined above, also has more traces than any other process, 

i.e. Vs* Tr(Run) = L* O Tr(s). Therefore, Vs* Run ext s. □ 

The following theorem gives a sufficient condition for two specifications (say 
Si and S2) to be consistent with respect to reduction. The condition requires 
that Si and S2 can at least refuse all the actions they may not both do after a 
certain trace. 

Theorem 8. Let si,S2 &V be two specifications, then siC^ed S2 if: 

V(T G Tr(si) n Tr{s2) * L\(Oitf(si, a) n Out{s2, <j)) G Ref{si,a) n Ref{s2, cr) 
Proof. See 

3.2 Unbalanced Consistency 

Unbalanced consistency is more complicated than the balanced case. First of all, 
there are many more cases of unbalanced consistency. Moreover, unlike balanced 
consistency relations, unbalanced ones are not symmetric. However, there is a 
close relationship between Cimpi.impj and Cimpj.impi- 

Proposition 9 . For any two implementation relations imp]^,imp2, 

r. . — p-i 

Cimp2,impi — '.'impi,imp2 ' 

Since it is easy to derive the inverse of a relation (just swap the arguments), 
this proposition gives an easy recipe for deriving from the relation 

with the implementation relations reversed Cimp^,imp 2 - It halves our problem of 
finding 30 consistency conditions. 

For the remaining 15 cases, observe that all implementation relations are re- 
flexive. The following proposition therefore allows us to derive at least a sufficient 
condition for consistency to hold in each of these cases. 



^ The operator U generalises the choice operator (_ [] _). 
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Proposition 10. Given a consistency relation Cimpi,imp 2 , such that impj^ is 
reflexive, 

imp2 C Cimpj^,imp2 ■ 

Proof. From reflexivity of impj^, it follows that Id C imp^^. And, by mono- 
tonicity of o, Id C imp]^^ imp2 C imp^^ o imp2 = Cimpi,imp2- ^ 

Under the condition that the inverse of impj^ is stronger than imp 2 and 
imp 2 is a transitive relation, imp 2 is both a necessary and sufficient condition. 
This result applies to six of the remaining cases. 

Theorem 11. Given a consistency relation imp such that 

— impj is reflexive, 

— imp 2 is transitive, and 

— impj"^ C imp 2 , 

then Fimp,^ ,imp 2 ~ ttnp 2 . 

Proof. By Prop. E 3 we have imp2 C Cimpi,imp2- In the other direction, we 
derive by monotonicity of o and transitivity of imp2, that imp^^ C imp2 => 
imp^^ o imp2 C imp2 o imp2 C imp2. □ 



Corollary 12. 



1. 




= <tr 


2. 


C«te,«tr 


— ~tr 


3. 


Fsjte.red 


= red 


1 


Fait,,, ext 


= ext 


5. 


F«tr,<tr 


= <tr 


6. 


Fext,<tr 


= <tr 



Since testing equivalence is stronger than all other implementation relations, 
and because it is an equivalence, we almost always have — i™P2- 

The only case that is missing, is when imp 2 = conf. Even though conf is not 
transitive, we still have the same result. 

Theorem 13. C-^^ conf = conf 

Proof. By Prop. [03 we have conf C C~j^^conf- For inclusion in the other direc- 
tion, observe that, by Prop. 0 and symmetry of «te> C~^^^conf = ~te°conf. We 
now prove «te ° conf C conf by extensionality: Vsi, «2 S V, 

Si «teOCOnf S2 

• Si ~te p /\p conf S2 

• (Vcr G L* • Ref{si, a) = Ref{p, a)) 

A (Vcr G Tr{s2) • Ref{p,cr) C Ref \s2,cr)) 

=> Vcr G Tr{s2) • Ref{s\,(j) C Ref{s2,cr) 

Si conf S 2 



Of the remaining consistency relations, one holds for any two specifications. 
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Theorem 14. Cext.conf ^ V x V 

Proof. Use the same witness as in the proofs of C^onf = ^ext ='P x V. □ 

The remaining two consistency relations with ext coincide with trace refinement. 

Theorem 15. 

^J^tr,ext — ^tr 
^red.ext — ^tr 

Proof. In one direction, inclusion follows by a simple monotonicity argument: 

1. Since ext C >tr, it follows that C~^,.^ext = ~tr oext C ° >tr = >tr- 

2. Since red~^ C >t,. and ext C >t,., it follows that Cred.ext = red~^ oext C 

>tr O >tr = >tr- 

In the other direction, we need to exhibit a common implementation for any two 
specifications si, S2 such that si >tr S2- In both cases, such a common implemen- 
tation is given by the deterministic process with the same traces as si. □ 

In an earlier version of this paper, we defined a relation cons <Z V x V sA 
this point (see definition CHI) and proposed that being in this relation provided a 
sufficient and necessary condition for four of the remaining consistency relations, 
viz. C<t^,conf, C<tr,red, Cred.conf, and C~^^,conf- However, we now know this not 
to be the case. Although cons is indeed a precise characterisation of C~j„.conf 
(see theorem imil and it plays a role in the characterisation of C~j,.,red (see 
theorem 1211) . C~j,._conf does not coincide with the other three aforementioned 
consistency relations. We can, however, establish a relative ordering between the 
four relations. 

Proposition 16. 

^^tr.red — H<tr,conf 
2 . C~j„.conf C ,conf 

3 - ^red,conf ^ ^<tr,conf 

Proof. 

1. Firstly, since red C conf , it follows that C<j,._red = >tr ° red C >t,. o conf = 
C<tr,conf • Secondly, suppose 3pup <tr si Apconf S2, but p ^tr S2- There must 
then be a (7 G Tr{p) n Tr(s2) such that a G Out{p, a)\Out{s2, (j) for some 
a G L. However, then {a} G Ref{s2,cr) so we can remove the a-transition 
from p without invalidating that p<trSi and pconf S2- Now, let p' be the 
process constructed from p by removing all these violating transition and we 
clearly have p' <tr si and p' red S 2 - 

2. Since «tr C it follows that C~j„.conf = «tr°conf C >tj.oconf = 
C<tr,conf • Moreover, there exist specifications si, S2 such that si C<^^_conf S2, 
but ^(si C~j,._conf S2) (see example livll . 
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3 . Since red~^ C it follows that Cred,conf = red“^ oconf C >t^oconf = 
C<tr,conf- Moreover, there exist specifications si, S2 such that si C<^^^conf S2, 
but ^(si Cred.conf S2) (scc example ITTIl . □ 



Example 17. Consider the following specifications: 

51 := a; stop [] b; stop 

52 := t; a; stop [] b; c; stop 

then we have si C<^^^conf S2, because a; stop is a common implementation, but 
not Si C~j^_conf S2 and not si Cred.conf S2- In the latter two cases, any common 
implementation would have to perform b initially and then refuse c to be an 
implementation of si, but such a process can never be conformant to S2, which 
requires c after b. □ 



Definition 18. Define a relation cons (~VxVas follows: 

peons q 4^ V(T G Tr{p) C Tr{q) • {L\Out{p, a)) G Ref{q, a). 

The relation cons characterises C~^^^conf, as is shown in the following theorem. 
In order for a process p to be Hrace-conf consistent’ with a process q, q must 
be able to refuse everything that p cannot do after a certain trace a common to 
both p and q. 

Theorem 19. conf = cons 

Proof. Firstly from left to right. Assuming that 3 p*p«trSi A pconfs2 we 
need to show that siConss 2 - Suppose not. By definition of cons this means 
that L\OMt(si,tr) ^ Ref{s2,(j) for some trace a G Tr{si) n Tr(s2). From the 
assumption that p«trSi it follows that Out{p,a) = Out{s\,a) and therefore 
that T\Out{p, a) ^ Ref{s2, cr). However, for p to be a valid process (e.g., see 
p. 62 ]), we must have L\ Out{p, a) G Ref{p, a), which contradicts that p conf S2. 

Secondly, from right to left. Assume si cons S 2 . Next, construct a process p 
with the following traces and refusals: 

Tr{p) = Tr{si) 

Ref{p,a) = Ref{s2,(r), if cr G Tr(s2) 

Ref {p,(T) = p(L\Out{p,a)), if cr G Tr{p)\Tr{s2) 

It immediately follows that p«tr si and pconf S2- However, it still needs to be 
verified that the combination of traces and refusals satisfy certain properties in 
order for them to define a valid process (e.g., see 1^1 p. 62 ]). Most of these prop- 
erties follow trivially from the given definitions, but the following may require 
some formal justification: 



X G Ref{p,a) ^ AU (L\Out{p,a)) G Ref{p,a) 
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By contradiction: suppose XU{L\Out{p, a)) ^ Ref{p, a) for some cr G Tr{p) such 
that X G Ref{p, a), li a ^ Tr^s^), then we have a straightforward contradiction, 
because then 'L\Out{p,a) G Ref{p,a) by definition. Otherwise, there must be 
some a G 'L\Out{p,a) such that {a} ^ Ref{p,a), since X G Ref{p,a). From 
the fact that Tr(p) = Tr(si), we also know that a ^ Out{si,a). However, 
then it follows by siConss2, that {o} G i?e/(s2,cr), which contradicts that 
{a} ^ Ref{p,a), because Ref{p,a) = Ref{s2,cr) by definition. □ 

Theorem 20. red = <tr H cons 

Proof. In one direction, a simple calculation suffices: 

C«t,,red = «tr O red = «tr °(<tr H COnf) 

C («tr O <tr) n («tr ° COnf) = <tr H COnS 

In the other direction, assume si<trS2 and siConss2 for some si,S2. By 
Si cons S2, we have p«tr si and p conf S2 for some p. By si <tr S2, it then follows 
that p <tr S 2 and therefore that pred S 2 . □ 

3.3 Summary of Consistency Results 

By instantiating the general definition of binary consistency with the implemen- 
tation relations defined in section O 36 different notions of consistency were 
obtained. For most of these notion of consistency a necessary and sufficient con- 
dition has been derived, in the form of a characterising relation, under which 
two specifications can be considered consistent. Eventhough we did not yet find 
such characterising relations for C<j^,conf = C<j^,red and Cred.conf, we conjec- 
ture that they exist nevertheless. In the following we denote these two unknown 
relations csi and CS2, resp. The obtained results are summarised in Table |3 
In order to verify the consistency of two specifications si, S2 interpreted via 
implementation relations impi,imp2, respectively, look up the relation in the 
row labelled by impi and the column labelled by imp2. Say this is a relation 
C. Now, if Si C 32 , then siCimpi,imp2 S2 holds. 



Table 3. Consistency conditions 
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conf 
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red 
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Fig. d relates the consistency relations in terms of their relative strength. The 
strongest consistency relation (~te) can be found at the bottom of the spectrum; 
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the weakest relation {V x V) at the top. A line between two relations indicates 
that the lower one is included in the higher one. It is always sufficient to verify 
a strictly stronger relation rather than the required notion of consistency. 

The relationships depicted in the bottom half of Fig. Q] are mostly well- 
known results from the literature The other relationships between con- 

sistency relations usually follow from a straightforward monotonicity argument 
as in Prop. cni or directly from the definitions. 

3.4 Consistency Checking Example 

Using the results obtained above, we can now verify the pair-wise consistency of 
the specifications in Sect. IZ.41 

— (Obi, ext) and (Perm, <tr) are consistent, because Obi <tr Perm. 

— (Obi, ext) and (Comp, red) are consistent, because Obi <tr Comp. 

— (Eng, R:ite) and (Obi, ext) are consistent, because EngextObl. 

— (Perm, <tr) and (Comp, red) are consistent, because Perm red Comp, which 
is a sufficient condition for consistency by Pron. lTn 
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— (Eng, R:!te) and (Perm, <tr) are not consistent, because Eng ^tr Perm. The 
problem here is that Eng has a trace <coin.coin>, which is not allowed by 
Perm. This is due to the concurrency in Eng. 

— (Eng, «te) and (Comp, red) are not consistent, because Engr^dComp. Al- 
most the same problem as above. Eng cannot refuse to do a coin-action, after 
the initial coin, whereas Comp cannot do such an action. 

The main problem with the engineering specification is that it allows a new coin 
to be inserted already before the last drink has been taken. The inconsistency 
can be resolved here by adding another synchronisation between the two parts 
of the engineering specification (the same channel can be used for this) : 

NewEng hide channel in MH |[channel]| DD 
MH := coin; channel; channel; MH 

DD channel; (coffee; channel; DD [] tea; channel; DD) 

With such a synchronisation in place the money handler will refuse the next coin 
until the previous drink has been taken out. The new engineering specification 
is consistent with both the permissions from the enterprise viewpoint and the 
computational specification. 

With the revised engineering specification the set of viewpoint specifications 
is also globally consistent — there exists an implementation that satisfies all 
four specifications. The common implementation is the engineering description 
NewEng (see Fig. |21). 

Perm Obi Comp NewEng 




Fig. 2. Global consistency 



4 Conclusion 

We have presented characterisations of all possible, i.e., balanced and unbal- 
anced, binary consistency relations between six different trace and/or refusal 
based specification formalisms for process behaviour. These consistency rela- 
tions are vital if formal specifications are to be used in a multiple viewpoint 
approach to specification, as is advocated, e.g., by the rm-ODP 0. 
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Various other approaches to partial process specification have been suggested 
in the literature larro , some with associated consistency conditions. However, 
those authors do not consider, what we have called, unbalanced consistency 
relations. 

Ongoing research at the University of Kent focuses on the ‘translation’ of 
the consistency relations to consistency checking techniques and tools for more 
‘user-friendly’, graphical specification notations. The main question here is “what 
implementation relations are (implicitly) assumed by specifiers of State Charts, 
Sequence Diagrams, etc?” 

Another topic for further study is how to deal with specifications at dif- 
ferent levels of abstraction. A single action in an enterprise specification may 
correspond to a more complicated behaviour in the computational specification. 
In order to support consistency checking between such specifications, we need 
to consider also implementation relations that incorporate some form of action 
refinement. 
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Abstract. We present an institution of observational logic suited for state-based 
systems specifications. The institution is based on the notion of an observational 
signature (which incorporates the declaration of a distinguished set of observers) 
and on observational algebras whose operations are required to be compatible 
with the indistinguishability relation determined by the given observers. In 
particular, we introduce a homomorphism concept for observational algebras 
which adequately expresses observational relationships between algebras. Then 
we consider a flexible notion of observational signature morphism which 
guarantees the satisfaction condition of institutions w.r.t. observational 
satisfaction of arbitrary first-order sentences. Erom the proof theoretical point of 
view we construct a sound and complete proof system for the observational 
consequence relation. Then we consider structured observational specifications 
and we provide a sound and complete proof system for such specifications by 
using a general, institution-independent result of [6]. 

1 Introduction 

In this paper we study a logical framework for the specification of the observable 
behaviour of software systems which is particularly suited for state-based systems but 
may also be used for specifying infinite data and behavioural properties of abstract 
data types. Formally, we introduce an institution of observational logic and we study 
proof methods for first-order observational properties of structured specifications built 
over this institution. 

Although our approach is novel, it is influenced by previous behavioural approaches, 
in particular of [4, 11, 16, 21, 23]. The important difference to [4] is that in the present 
approach we use a built-in observational semantics which previously led to problems 
w.r.t. the encapsulation of observational properties of parts of a system specification 
(cf. [1, 15]). In the hidden sorted algebra approach (cf. e.g. [11]) encapsulation is 
achieved at the cost of a rather restrictive notion of signature morphism which 
recently was generalized in [8] (see the discussion in Section 5). Another popular 
formalism which deals with a state-based view of systems is provided in the 
framework of coalgebras (cf. e.g. [23, 16]). These approaches, however, have 
problems to deal with n-ary operations working on several non-observable (hidden) 
argument sorts which frequently occur in practice (see also Section 5). Moreover, 
coalgebraic approaches are based on terminal semantics while we are interested in a 
loose semantics in order to obtain sufficient freedom for the choice of 
implementations . 
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The starting point of our approach is a methodological consideration: A well-known 
method for specifying abstract data types (or, more concretely, for writing functional 
programs) is to determine first a set of constructor symbols which describe how the 
elements of the data type are constructed and then to define functions which can be 
applied to the data (usually by case distinction over the given constructors). An 
analogous method can be used for specifying state-based systems. First, a set of 
observer symbols is declared which determines an indistinguishability relation (also 
called observational equality) for the non-observable elements (i.e. for the states). 
Then the operations are specified, usually by describing their effects w.r.t. the given 
observers. 

Formally, these considerations lead to our notion of an observational signature which 
contains a distinguished set of observer symbols. A similar idea was presented in [21] 
(and recently in [9] and [8]).' Based on the notion of an observational signature we 
define observational algebras as those structures whose operations are compatible 
with the observational equality (determined by the observers of the signature). In this 
way we obtain, in Section 3, a category of observational algebras with a notion of 
observational homomorphism that is suited to express observational relationships 
between algebras. Moreover, we establish a full and faithful functor from the category 
of observational algebras to the category of standard algebras which is compatible 
with the observational satisfaction relation defined in Section 4. 

In Section 5, we introduce the institution of observational logic. It turns out that our 
general notion of an observer (used in observational signatures) allows us to define a 
powerful notion of observational signature morphism which guarantees, nevertheless, 
that the (observational) satisfaction condition of the institution is valid. Then, in 
Section 6, we define a sound and complete proof system for observational logic. 

The results obtained so far allow us, first, to apply a generic construction of structured 
specifications over an arbitrary institution (cf. [24]), thus obtaining a basic language 
of structured observational specifications. Secondly, we can also apply a generic 
construction of a sound and complete proof system for structured specifications (cf. 
[6]) which leads to a corresponding proof system for structured observational 
specifications. 

2 Algebraic Preliminaries 



We assume the reader to be familiar with the basic notions of algebraic specifications (cf. e.g. 
[18]), like the notions of (many-sorted) signature Z = (S, OP) (with a set S of sorts and a set OP 
of operation symbols op: S[,...,Sj, — > s), signature morphism a: Z ^ Z’, total Y.-algebra A = 
((As)seS> (f^lfep)’ ^-congruence, 1,-term algebra T(Z, X), valuation a : X A and 
interpretation Iq,: T(Z, X) — > A. Throughout this paper we assume that the carrier sets A^ of a 
Z-algebra are not empty and that X = (Xj)s£s is a family of countably infinite sets X^ of 
variables of sort s e S. The class of all Z-algebras is denoted by Alg(Z). Together with Z- 
homomorphisms this class forms a category, for simplicity also denoted by Alg(Z). 



' Indeed our notion of an "observer" is a generalization of an "action" in the sense of [21] and 
of a "behavioural operation" in the sense of [8]. 
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For any signature morphism a: E ^ E’ the redact functor _L : Alg(E’)^ Alg(E) is defined as 
usual. The redact of a relation <p’ c A’ x B’ w.r.t. a: i ^ E’ is denoted by (p’|^ where 
(pja^A’Itj^B’l^is defined by ((p’|^)^=def(p’„(s)for all s s S. 

The set of {umny-soAeA) first-order 'L-fomiulas is defined as usual whereby we will also admit 
infinitary E-formulas built by countably infinite conjunctions (or disjunctions). A finitary E- 
formula is a E-formula which contains no infinitary conjunction (disjunction resp.) and a E- 
sentence is a 'L-formula which contains no free variable. The (standard) satisfaction relation, 
denoted hy A |= (|), is defined as usual in the first-order predicate calculus (with a 
straightforward extension to infinitary formulas, cf. e.g. [17]). The notation A |= (|) is extended 
in the usual way to classes of algebras and sets of formulas. A E-sentence ([) is a semantic 
consequence of a set © of E-sentences, also denoted by © |= (|), if for any E-algebra A with 
A 1= © we have A |= ([). 

3 The Category of Observational Algebras 

An observational signature is a generalization of a standard algebraic signature with a 
distinguished set of observable sorts (determining the carrier sets of the observable 
values) and with a distinguished set of observer operations (determining the 
experiments that can be used to distinguish non-observable elements, often called 
"states"). An n-ary operation op: Sj,..., s„ — > s with several non-observahle argument 
sorts may also be used as an observer (which is not the case in [21] and in [8]). In this 
case op is equipped with a "position number" 1 < i < n which indicates the argument 
sort of the states to be observed by op. For instance, if op: S], S 2 — > s is a binary 
operation then we can declare either (op, 1) or (op, 2) or both, (op, 1) and (op, 2), as 
observer thus obtaining as much flexibility as needed in practical examples. 

Definition 3.1 ( Observational signature) Let Z = (S, OP) be a signature and Sqps ^ S 
be a set of observable sorts. An observer is a pair (op, i) where (op: Sj,..., Sj, — >■ s) 
e OP is an operation symbol such that 1 < i < n and s; g Sobs- (op, i) is a direct 
observer of sj if s e Sobs^ otherwise it is an indirect observer. If op: S] — > s is a unary 
observer we will simply write op instead of (op, 1). An observational signature 
2iobs = Sobs- OPobs) consists of a signature Z = (S, OP), a set Sobs £ S of 
observable sorts and a set OPobs of observers (op, i) with op e OP. ♦ 

Convention We implicitly assume in the following (if not stated otherwise) that 
whenever we consider an observational signature Zobs- then Zobs = Sobs- OPobs) 
with Z = (S, OP) and similarly for Z’obs etc. 

Example 3.2 The following is a simple observational signature for bank accounts 
with observer "bal" determining the balance of an account and an operation "update" 
subsuming the usual credit and debit operations. Here and in the following examples 
we use postfix notation for unary operations and infix notation for binary operations. 



sorts {account, int} 
observable sorts {int} 
observers { _.bal: account — >^int} 

operations {new: —> account, _.update_ : account, int ^account} 
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A more advanced signature for bank accounts may be obtained by introducing also an 
indirect observer .undo: account — > account" intended to reconstruct the previous 
state of an account after having performed an action. ♦ 

Any observational signature determines a set of observable contexts which represent 
those experiments which allow us to distinguish elements by the given observers. 

Definition 3.3 (Ephs-context) Let Sobs be an observational signature, let X= (Xs)ggS 
be the generally assumed family of variable sets and let Z = ({Zj,})sgS be a disjoint 
S-sorted family of singleton sets. For all s, s’ e S the set C(Sobs)s^’ of Egh^-contexts 
with "application sort" s and "result sort" s’ is inductively defined as follows: 

(1) For each s e S, e C(Sobs)s^- 

(2) For each (op, i) e OPobs with op: Sj,..., s„ — > s’, for each c e C(Sobs)s->si 
pairwise disjoint variables Xj,. . ., x„ (not occurring in c) of sort S],. . ., s„, 

op(xi,..., Xi_i,C, X;+ 1 ,..., x„) e C(Sobs)s^’- 

Each context c e C(Sobs)s^’ contains, besides variables in X, exactly one occurrence 
of the "context variable" z^. The application of a context c e C(Sobs)s->s’ to a term t of 
sort s, denoted by c[t], is the term obtained by substituting the term t for Zg. 

An observable EQ^g-context is a Zobs'Context with observable result sort s’ e Sobs- 
We denote by C(Sobs)s^obs observable contexts with application sort s. ♦ 

In Example 3.2 the only observable context is "Zaccount-bal". If we additionally use the 
indirect observer "undo" then there are infinitely many observable contexts of the 
form "Zaccount-undo.undo ... .hal". 

Elements which cannot be distinguished hy the experiments of an observational 
signature are considered to be observationally equal, formally defined as follows. 

Definition 3.4 (Egij^-equality) Let Sobs be an observational signature. Eor any 
S-algebra A e Alg(S) the observational EQi,g-equality on A is denoted by A 
defined by: 

Eor all s e S, two elements a, b e A^, are observationally equal w.r.t. Sobs i-C. 
a a b. if only if for all observable contexts c e C(Sobs)s^obs 
valuations a, P: Xu{Zg} — > A with a(x) = P(x) if x e X, a(Zg) = a, P(Zj.) = h, we have 
I„(c) = Ip(c). Obviously, if s is an observable sort, then for all a, b e A, a a b is 
equivalent to a = b. ♦ 

Eor any S-algebra A, a i® equivalence relation on A. But it is important to 
note that for an arbitrary S-algebra A there may exist (non-observer) operations which 
are not compatible with the observational equality A’ i-®- *ZobsA general 
not a S-congruence on A. 

In this paper we follow the loose semantics approach to algebraic specifications where 
a specification can be considered as a description of all admissible implementations 
(represented by the models of the specification). The basic assumption of the present 
approach is that, having declared a set of observers, an implementation can only be 
admissible if all its operations respect the observational equality determined by the 
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given observers. Formally, this is expressed by the following notion of an 
observational algebra. 

Definition 3.5 (Observational algebra) Let Sobs be an observational signature. An 
observational 'LQ^g-algebra is a S-algebra A such that a ^ S-congruence on 
A. 2 The class of all observational Sobs'^lgcbras is denoted by Algobs(^Obs)- ♦ 

Note that in the special case where all operations op e OP are declared as observers 
(for each non-observable argument sort) any S-algebra is an observational Sobs" 
algebra and a (total) observational equality of elements defined in 

[4]3 and similarly in other approaches in the literature like, for instance, in [22, 11]. 
Let us now point out the relationship to the coalgebraic framework (cf. e.g. [16, 23]). 
For this purpose assume that Sobs = Sobs> OPobs) ™ observational signature 
such that for any observer (op, i) e OPobs> the only non-observahle argument 
sort of op. Moreover, assume that any observable sort s e Sobs i® interpreted in any 
observational Sobs'^lgcbra by the same fixed set of observable values (e.g. integers, 
booleans etc.). Then a (polynomial) functor T: Set — > Set can be associated to OPobs 
which captures the functionality of the observer symbols."^ Any observational 
Sobs'^lgsbra A is an extension of a T-coalgebra C which has the same carrier sets as 
C and defines the non-observer operations op e OP\OPobs on top of C. The fact that 
the extension A is an observational algebra is equivalent to the fact that each 
operation of OP preserves bisimilarity of elements (cf. e.g. [16]). 

In order to obtain a category of observational algebras we still need an appropriate 
morphism notion. Of course, since any observational algebra is a Z-algebra, one could 
simply use standard homomorphisms between Z-algebras. But this does not reflect the 
relationships between the observable behaviour of algebras. Therefore, we have 
chosen another definition where an observational homomorphism is defined as an 
appropriate relation which is compatible with observational equalities. 

Definition 3.6 (Observational homomorphism) Let A, B e AlgobsC^Obs)- 

observational ’Lpi^g-homomorphism tp: A — > B is an S-sorted family ({Ps)seS 
relations c Ag x Bg with the following properties for all s e S: 

(1) For all a e Ag there exists b e Bg such that a tpg b. 

(2) For all a e Ag, b, b’ e Bg, if a tpg b then (a tpg b’ if and only if b b b’). 

(3) For all a, a’ e Ag, b e Bg, if a tpg b and a a then a’ tpg b. 

(4) For all (op: Sj,..., s„ — >■ s) e OP and a; e Ag., b; e Bg., 

if a; (pg. bj for i = 1 ,..., n then op^(aj,..., a„) tpg op®(bi,.. ., b„). ♦ 



^ Obviously, for this it is sufficient that all non-observer operations are compatible with 
~S0bs,A- 

^ In [4] also partial observational equalities are considered. It should be straightforward to 
extend our approach to this case. 

^ If there is more than one non-observable sort in S\Sobs then a set of functors has to be 
associated to Lobs- 
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Theorem 3.7 (The category of observational algebras) 

For each observational signature 2obs> the class Algobs(?Obs) together with 
observational Zobs'homomorphisms is a category which, by abuse of notation, will 
also be denoted by Algobs(?Obs)- Thereby the composition of observational 
homomorphisms is the usual composition of relations and, for each observational 
Zobs'^lgshra A, the identity id^: A — > A in the category AlgobsC^Obs) the 
observational equality (The proof is straightforward; see [14].) ♦ 

Since for any observational Zobs'^lgchra A the observational equality ^ 

Z-congruence, we can construct the quotient algebra which identifies all 

elements of A which are indistinguishable "from the outside". can be 

considered as the "black box view" of A thus representing the "observable behaviour" 
of A w.r.t. Zobs- Using this behaviour construction we obtain (for any observational 
signature Zobs) ^ functor from the category Algobs(?Obs) of observational algebras 
into the category Alg(Z) of (standard) Z-algebras which establishes a one to one 
correspondence between observational homomorphisms cp: A — > B and standard 
homomorphisms h: ^ g, i.e. the functor is full and faithful. 

Theorem 3.8 (Behaviour functor) For any observational signature Zobs. 

fYohC ^lSObs(^Obs) Alg(Z) is a full and faithful functor where fYohs, by: 

For each A e Algobs(Sobs). =def 

for each observational Zobs'homomorphism cp: A — > B, 

^ B/*Zobs,B is defined by %„^/{p)([a]) = def [b] if a cp b. 

(For A e Algobs(^Obs). ^Sobsi-^^ i® called the observational behaviour of A. The 
proof of the theorem is straightforward; see [14].) ♦ 

Remark 3.9 Since fYobs is f*^ii and faithful, it is obvious that two observational 
algebras are observationally isomorphic if and only if they have isomorphic 
behaviours. Hence, as a consequence of a result in [4], observational isomorphism 
coincides with usual notions of observational equivalence between algebras (cf. e.g. 
[22]).^ This also points out the adequacy of our morphism notion. ♦ 

4 Observational Satisfaction 

The underlying idea of the observational satisfaction relation is to interpret the 
equality symbol "=" occurring in a first-order formula (|) not by the set-theoretic 
equality but by the observational equality of elements. 

Definition 4.1 The observational satisfaction relation between observational Zobs" 
algebras and Z-formulas is denoted by |= 2 q(,j, and defined as follows: 

(1) For any two terms t, r e T(Z, X)^ of the same sort s and for any valuation 
a: X ^ A, A, a t = r holds if I„(t) Ia(r)- 



^ To our knowledge [20] is the first paper where observational equivalence of algebras is 
characterized by isomorphism of some category. 
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(2) For any arbitrary Z-formula (|) and for any valuation a: X — > A, A, a (j) is 
defined by induction over the structure of the formula (|) in the usual way. 

(3) For any arbitrary Z-formula (|), A (j) holds if for all valuations a: X — > A, 
A, a |= 2 q|^j, (j) holds. 

The notation A (j) is extended in the usual way to classes of observational 

algebras and sets of formulas. ♦ 

Technically the observational satisfaction relation could be defined in the same way 
for arbitrary Z-algebras which do not necessarily belong to AlgobsC^iobs)- This is the 
approach of extended hidden algebra (cf. [8]) where a special predicate symbol is 
introduced for representing the observational equality of (non-observable) elements. 
But then the congruence rule of the equational calculus is only sound w.r.t. if one 
can prove that all operations of a specification are "behaviourally coherent", i.e. are 
compatible with the given observational equality.^ 

Definition 4.2 (Observational consequence) A Z-sentence (|) is an observational 
consequence of a set €) of Z-sentences, also denoted by |= 2 q|^^ (j), if for any 
observational Zobs'^lgcbr^ A, A d> implies A (j). ♦ 

The next proposition shows that the behaviour functor defined in Theorem 3.8 is 
compatible with the observational and the standard satisfaction relations. (For the 
proof see [14].) 

Proposition 4.3 For any A e Algobs(?obs) any Z-formula (|), 

l=lobs ^ if if 1= ♦ 

As a consequence of Remark 3.9 and Proposition 4.3 we can generalize Scott’s 
theorem (cf. e.g. [17]) to observational algebras and observational satisfaction (taking 
into account that Z-formulas may be infinitary; cf. Section 2). 

Corollary 4.4 (Observational version of Scott’s theorem)^ 

Let A, B e Algobs(^Obs) two observational Zobs'^lgsbras such that 1 ? 2 q|jj,(A) and 
are countable. The following conditions are equivalent: 

(1) A and B are observationally isomorphic. 

(2) For all (possibly infinitary) Z-formulas (|), A ([) if and only if B ([)• ♦ 

We are now able to define the syntax and semantics of flat observational 
specifications. Structured specifications will be considered in Section 7. 

^ The idea of introducing a denotation for observational equalities is suggested in [2, 3] as a 
proof-theoretic means for proving behavioural theorems and implementation correctness. 

n 

' In an abstract category-theoretic setting this fact can be used as a definition of behavioural 
satisfaction as in [7] and [5]. 

^ A related result, but formulated in terms of observational equivalence of algebras instead of 
observational isomorphism, is given in [4]. 
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Deflnition 4.5 Aflat observational specification SP = <2obs> consists of an 
observational signature Sobs = Sobs> OPobs) a set Ax of S-sentences, called 
the axioms of SP. The semantics of SP is given by its signature Sigobs(SP) and by its 
class of models Modobs(SP) which are defined by 

SigObs(SP) =def 2iobs: Modobs(SP) =def {A £ Algobs<?Obs) I A Ax). ♦ 

For any observational specification SP, the class Modobs(SP) is closed under 
observational isomorphisms. 

Example 4.6 The following specification of bank accounts has additionally to 

the account operations of Example 3.2 an operation "paycharge" which reduces the 
balance of an account by a constant monthly fee. 

spec ACCOUNT = 

sorts {account, int} 
observable sorts (int) 

observers { _.bal: account int, _.undo: account — > account} 
operations "operations for the integers" u 

(new: ^account, _.update_ : account, int —> account, 

_.paycharge: account —>■ account) 
axioms "axioms for the integers" u 
(Vx: int, s: account, 
new.bal = 0, new. undo = new, 
s.update(x).bal = s.bal+x, s.update(x).undo = s, 
s. paycharge. bal = s.bal-10, s.paycharge.undo = s) 



A possible model of the specification ACCOUNT which satisfies the axioms even 
literally can be defined in terms of lists of integers. Another model which satisfies the 
axioms observationally (but not literally) can be constructed by using the well-known 
array with pointer realization of lists. 

In the above specification the behaviour of the operations is uniquely specified w.r.t. 
the given observers. A proper loose specification can be obtained, for instance, by 
removing the equations for the "paycharge" operation. Then the semantics of the 
specification is still restricted to those models where the interpretation of "paycharge" 
is compatible with the given observational equality (since only observational algebras 
are admissible models). ♦ 

5 The Institution of Observational Logic 

The category of observational algebras is the basis for defining an institution (cf. [10]) 
of observational logic which captures the model-theoretic view of the observable 
behaviour of systems. An essential ingredient to build an institution is an appropriate 
morphism notion for observational signatures which is defined as follows. 

Definition 5.1 (Observational signature morphism) Let Sobs = Sobs> OPobs) 
and S’obs = (2’>S’obs> OP’obs) be two observational signatures with S = (S, OP) and 
S’ = (S’, OP’). An observational signature morphism a: Sobs ^’obs is a signature 
morphism c: S — > S’ such that the following conditions are satisfied: 
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(1) For all s e S, s e Sobs if only if ct(s) e a (Sobs)- 

(2) If (op, 1) e OPobs then (cy(op), i) e OP’obs- 

(3) If (op’, i) e OP’obs such that op’: Sj’,.. .,Sn’— > s’ and sj’ =G(Sj) for some s e S 
then there exists (op, i) e OPobs^ op: sj,. . .,s„ — > s such that op’ = a(op). ♦ 

Condition (1) is standard. It requires that observable and non-observable sorts are 
preserved by a. Condition (2) requires that also observers are preserved by a. 
Condition (3) is essential for the satisfaction condition presented below. It says that 
whenever the image ct(s) of some "old" sort s of Sobs is observed by an observer 
op’ of S’obs then there must be a corresponding observer op of Sobs which observes s 
and which is mapped to op’ . Thus no "new" observations can be introduced for "old" 
sorts. However, it is important to note that there is still sufficient flexibility for the 
following: 

1. We can introduce new operation symbols in OP’\OP’obs which are not in the image 
of a but nevertheless may have argument sorts which are in the image of a. A 
standard example may be given by the signature of a specification of a bank which is 
based on (i.e. imports) a specification of accounts. Then the bank specification may 
introduce a new operation "_.add_: bank, account — > bank" for adding an account to a 
bank. This is not a problem as long as "add" is not used as an observer for accounts 
(i.e. (add, 2) is not an observer which indeed would be strange). Examples like this, 
where some argument sorts of an operation are imported from another signature 
frequently occur in practice, in particular, in object-oriented programming. This 
situation cannot be dealt with by hidden signature morphisms; cf. e.g. [19]. Extended 
hidden algebra, however, solves this problem; cf. [8]. 

2. We can introduce new observers (op’, i) in OP’obs long as the observed sort sj’ is 
not in the image of a. For instance, in the bank example one has definitely to 
introduce some observer(s) for the new sort "bank". This can neither be done in 
hidden algebra nor in extended hidden algebra. 

Definition 5.2 (Observational reduct functor) For any observational signature 
morphism a: Zobs ^ S’obs, Algobs(c^): Algobs(S’obs) ^ Algobs(Sobs) is defined by: 
For each A’ e Algobs(S’obs)> Algobs(tt)(A’)=def A’|^ 

For each observational Z’obs-homomorphism cp’ : A’ — >B’, 

Algobs(tt)((p’): A’l^ ^ B’l^is defined by Algobs(o-)({p’)=def <P’|<y 

(See Section 2 for the definition of the reducts A’j^and (p’|(y) ♦ 

The following lemma is essential for proving that Algobs(tt) is indeed a well-defined 
functor (cf. Theorem 5.4) and also for checking the (observational) satisfaction 
condition (cf. Theorem 5.5). It says that the observational equality is preserved by 
observational reducts. (The proof of the lemma and of the subsequent theorems is 
given in [14].) 

Lemma 5.3 For any observational signature morphism a: Zobs ^’obs ^nd 
observational Z’obs-algehra A’ e Algobs(S’obs)> (*i;bbsA’^|cT= *Zobs,(A’|a> * 
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Theorem 5.4 For any observational signature morphism a: Sobs ^I’obs. 
AlgobsCtJ): AlgobsCS’obs) ^ Algobs(Sobs) is a well-defined functor. ♦ 

We are now able to state the satisfaction condition for observational logic which 
generalizes the satisfaction condition for hidden algebra. It guarantees encapsulation 
in the sense that observational properties are respected when composing 
specifications. In Section 7 we will consider structured specifications and we will see 
how a straightforward sound and complete proof system for structured specifications 
can be constructed which needs the validity of the satisfaction condition. 

Theorem 5.5 (Observational satisfaction condition) Let a: Sobs ^I’obs be an 
observational signature morphism. For any A’ e Algobs(2^’obs) S-sentence (|), 

A’ l=robs if if Algobs(<7)(A’)|=2o^^ (1) 

where a((|)) is the usual extension of a signature morphism to S-sentences. ♦ 

Corollary 5.6 (The institution of observational logic) 

The quadruple INSobs = (Sigobs- SenipoLEQ: Algobs, l=Obs) is an institution whereby: 

• Sigobs is the category of observational signatures and observational signature 
morphisms. 

• The functor SenjpoLEQ- Sigobs Set maps 

- each observational signature Sobs = Sobs> OPobs) to the set of (possibly 
infinitary) many-sorted first-order S-sentences (cf. Section 2) and 

- each observational signature morphism a: Sobs ^’obs to the obvious 
translation function which transforms S-sentences into S’-sentences. 

• The functor Algobs^ (Sigobs)”^ Cat maps 

- each observational signature Sobs to the category Algobs(?Obs) of 
observational Sobs^algehras and observational Sobs'homomorphisms and 

- each observational signature morphism a: Sobs ^’obs to the observational 
reduct functor Algobs(tt): AlgobsC^obs) ^ AlgobsC^Obs)- 

• l=Obs = Sigobsl where, for each observational signature Sobs, l=Sobs 

is the observational satisfaction relation of a S-sentence by an observational 
Sobs-algehra. ♦ 

According to Proposition 4.3 the family (l?2obs^2obs<^ Sigobsl °f faithful) 

functors Algobs(^Obs) Alg(S) can be extended to an institution morphism 

(cf. [10]) which maps the institution of observational logic to the institution of 
(standard) infinitary first order logic. 

6 A Proof System for Observational Logic 

In this section we study the proof theory for observational logic. For defining an 
appropriate proof system we first associate to any observational signature Sobs the 
following set FAj^i^^ of S-sentences. 
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Deflnition 6.1 Let Sobs = Sobs> OPobs) be an observational signature with 
S = (S, F). =def {FAj^Js) I s e S\Sobs) where for any s e S\Sobs> 

=def XL- xr:s. ( A V Var(c). c[xl] = c[xr]) ^ Xr = xr. 
ccC(Iobs)s.So, 

Thereby Var(c) denotes the set of all variables occurring in c besides the context 
variable Zg. ♦ 

The underying idea for considering FAj^i^^ stems from a result in [4] where it is 
shown that the behavioural theory of a class C of S-algebras coincides with the 
standard theory of the fully abstract algebras of C. The following theorem shows that 
indeed the sentences FAj^i^^ allow us to characterize the observational consequence 
relation in terms of the standard consequence relation. (For the proof see [14].) 

Theorem 6.2 Let Sobs be an observational signature, <1> be a set of S-sentences 

and (|) be a S-sentence. €) (]) if and only if <1> u FAj^i^^ |= (|). ♦ 

In the sequel we assume given, for each signature S, a sound and complete proof 
system FI(S) for (many-sorted) infinitary first-order logic (see the discussion below). 
The proof system FI(Sobs) for observational logic is then constructed by adding to the 
axioms and rules of FI(S) the sentences FAj^i^^ as further axioms. 

Deflnition 6.3 (Proof system for observational logic) 

For any observational signature Sobs- n(Eobs) =def n(S) u FAj^i^^. 

We write <1> (]) (d> |-£ (|) resp.) if (|) is a S-sentence that can be deduced from a set 

€) of S-sentences by the axioms and rules of Fl(Sobs) (n(S) resp.). ♦ 

Corollary 6.4 (Soundness and completeness) For any observational signature Sobs- 
set <1> of S-sentences and S-sentence (|), <1> |-Zobs ^ 'f only if <1> (]). 

Proof: <5 h^obs ^ definition of FI(Sobs)- ® ^ P^Sobs 1“^ ^ soundness 

and completeness of FI(E), €) u FAj^i^^ |= (|) iff, by Theorem 6.2, €) (])• ♦ 

The axioms FAj^i^^ can be considered as a coinductive proof principle (cf. e.g. [16]) 
which, together with FI(S), allows us to prove the observational validity not only of 
equations but of arbitrary first-order formulas. If Sobs contains only direct observers 
there exist (up to a-conversion) only finitely many observable contexts and hence 
FA^obs is finitary. In this case II(S) can be chosen as a formal (i.e. finitary) proof 
system and any available theorem prover for first-order logic can be used to prove that 
(|) is an observational consequence of <1>.® 

If Sobs contains indirect observers there may be infinitely many observable contexts 
and then FAj^i^^ contains infinitary conjunctions. In this case we can choose for II(S) 
a proof system for infinitary first-order logic (for instance, the many-sorted variant of 

^ For instance, using the Larch Prover one can directly implement the axioms hy the 

"partitioned hy" construct of LP; cf. [12]. 
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the proof system in [17]). Then the above completeness result is mainly of theoretical 
interest. However, it is important to note that the infinitary formulas can still 

be very useful because in practical examples the validity of (an instantiation of) the 
infinitary conjunction of can often be verified by an induction proof (cf. 

Example 6.5 below). Using a result of [3] it is even possible to encode the infinitary 
formulas FAjqj^^ by finitary ones if one introduces auxiliary symbols and 
reachability constraints. Hence the problem of the non-completeness of finitary proof 
systems for observational logic corresponds exactly to the non-completeness of 
finitary proof systems for inductively defined data types (in particular of arithmetic). 

Example 6.5 Consider the signature of the ACCOUNT specification of 
Example 4.6. It induces the infinitary sentence FA(account) =(jgf 

V Sl, Sr: account. (A SL-undokbal = SR.undof bal) => sr = Sr. 

ieN 

Now consider the implicitly universally quantified equation 
s.paycharge = s.update(-lO). 

It is easy to prove by induction that for all i e N, 

s.paycharge.undo'.bal = s.update(-10).undo'.bal 
can be derived from the axioms of ACCOUNT. Then, using FA(account), we deduce 
s.paycharge = s.update(-lO) 

and therefore, by Corollary 6.4, this equation is an observational consequence of the 
ACCOUNT specification. ♦ 

7 Structured Observational Specifications 

In [6] (and similarly in [24]) a basic set of specification-building operations is defined 
which allows one to build structured specifications over an arbitrary institution. We 
will now apply these operators to the particular institution of observational logic thus 
obtaining the following set of operations for constructing structured observational 
specifications. The semantics of such a specification SP is determined by its 
(observational) signature, denoted by Sigobs(SP), and by its class of models, denoted 
by Modobs(SP)- In the following definition we assume that a: Sobs ^’obs an 
injective observational signature morphism.'^ 

basic: Any presentation <Iobs’ observational specification. Its semantics is defined in 

Definition 4.5. 

union: For any two observational specifications SPl and SP2 with Sigobs(SPl) = Sigobs(SP2), 

the expression SPl u SP2 is an observational specification with semantics 

SP2) Sigobs(SPl), 

M‘^dobs(SPl u SP2) =jefModobs(SPl) iAModobs(SP2). 



The injectivity requirement ensures that the interpolation property for institutions (cf. [6]) 
needed for the completeness proof holds. Whether the interpolation property holds without this 
assumption seems to be an open question. 



Observational Logic 275 



translate: For any observational specification SP with Sigobs(SP) = ^bs’ expression 

translate SP by a is an observational specification with semantics 

Sigobs(translate SP bycT)=defS’obs> 

Modobs(translate SP bya)=^f {A’ g AlgobsPobs) I Algobs(o-)(A’) g Modobs(SP)). 

derive: For any observational specification SP’ with Sigobs(SP’)=^Obs’ ^be expression 

derive from SP’ by a is an observational specification with semantics 

SigobsCderive from SP’ by cr) =jef ^obs- 

ModQbs(derivefromSP’ bya) =def ( AlgobsW ( A ’ ) I A’ G Modobs(SP’ ) ) . 

Deflnition 7.1 Let SP be an observational specification with signature Sobs- 

A S-sentence (|) is called an observational theorem of SP, written SP |=Zobs 
Modobs(SP) |=Zobs * 



In the following we are interested in a proof system which allows us to prove 
observational theorems of structured (observational) specifications. For this purpose 
we instantiate the institution-independent proof system of [6] and obtain the following 
rules which generate, for each observational signature Sobs> ^ relation 
hzobs between observational specifications SP and Z-sentences (|). 



(pi-obs) 


SP iTbbs'l’i for' ell l-Jbbs'l’ 


(basic) 


(|e Ax 


SP|Tob> 


<^bs- Ax> 






(union- 1) 


SPl I^Obs^ 


(union-2) 


SP2 


SP1USP2 








(translate) 


SP 


(derive) 


SP’ 


translate SP by a o(<|)) 


derive from SP’ by a [ 







According to the rule (pi-obs) the proof system for structured specifications is based 
on the proof system n(Zobs) for observational logic (cf. Section 6). The other rules 
correspond to the specification-building operations and hence proofs of observational 
theorems can be performed according to the structure of a given specification. An 
institution-independent proof of the soundness of the above rules is presented in [24]. 
The completeness can be checked by applying the results of [6] to the insti-tution 
INSobs of observational logic. For this purpose one has to show that INSobs satisfies 
the amalgamation and interpolation properties which is detailed in [14]. 

Theorem 7.2 (Soundness and completeness) Let SP be an observational 

specification with signature Zobs ^nd let (|) be a Z-sentence. 

SP i=2obs ^ 
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8 Conclusion 

Observational logic provides a formal foundation for an observational specification 
methodology for state-based systems which works quite analogously to functional 
specifications of reachable data structures. In the latter case one usually starts by 
declaring a set of data type constructors. Similarly, in the observational case one starts 
by declaring a set of observers which do not tell us how elements are constructed but 
how elements can be observed. While data type constructors induce a generation 
principle which restricts the admissible models of a specification to reachable 
algebras, observer operations induce an observational equality which restricts the 
admissible models to observational algebras. Moreover, the operations on reachable 
data structures can he specified by inductive definitions while the operations on non- 
observahle elements (i.e. states) can be defined (coinductively) by describing their 
effect w.r.t. the given observers. Analogously to abstract data type specifications, a 
loose observational specification describes a class of observational algebras which is 
closed under ohservational isomorphisms. Such a class can be considered as an 
"abstract behaviour type". If it contains only one observational isomorphism class its 
specification can be regarded as an "observationally monomorphic" specification of 
an object-oriented program. 

The main topic of our next research steps is the consideration of refinement relations 
between (structured) observational specifications with an emphasis on refinement 
proofs. We hope that we can reuse several results of [2] and [13] hut we are aware 
that these approaches do not deal with a huilt-in (internalised) observational semantics 
of structured specifications as considered in this paper. Another important direction of 
future research is concerned with an extension of observational logic to take into 
account concurrent systems specifications. 

Acknowledgement We would like to thank Andrzej Tarlecki and the referees of 
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Abstract. Our goal is to develop an algebraic theory of process scheduling. We 
specify a syntax for denoting processes composed of actions with given 
durations. Subsequently, we propose axioms for transforming any specification 
term of a scheduling problem into a term of all valid schedules. Here a schedule 
is a process in which all (implementational) choices (e.g. precise timing) are 
resolved. In particular, we axiomatize an operator restricting attention to the 
ejficient schedules. These schedules are representable as trees, because in an 
efficient schedule actions start only at time zero or when a resource is released, 
i.e. upon termination of the action binding a required resource. All further delay 
is useless. Nevertheless, we do not consider resource constraints explicitly here. 
We show that a normal form exists for every term of the algebra and establish 
both soundness of our axioms with respect to a schedule semantics and 
completeness for efficient processes. 



Introduction 

The problem of scheduling entails assigning an execution time (and sometimes a 
processor) to each of a set of actions with given durations, depending on a certain 
goal function (e.g. shortest schedule) and certain causal and resource constraints. The 
theory of scheduling has been investigated since the early 50s. The research so far can 
be divided into two categories: partitioning the set of all scheduling problems into 
(complexity) classes, and finding efficient algorithms for each class. Most of the 
problems being NP-complete, substantial effort has been spent on problem relaxations 
and heuristics to obtain algorithms that compute near-optimal schedules in 
polynomial time. But an axiomatization of the theory of scheduling still remains to be 
given. Here we outline such a calculus abstracting from both resource constraints and 
goal function and limiting the structure of the causal order. Our aim is to provide an 
axiom system that turns a process specification into a set of efficient (or semi-active) 
schedules [7]. These are the schedules that are potentially optimal for certain 
constraints and goal functions, provided the latter do not favor spending idle time. For 
simplicity, we consider only specifications in which no action has more than one 
immediate causal predecessor, i.e. the precedence graph has a multi-tree order. 

Viewed from a different angle, our approach can be described as applying 
concurrency theory to scheduling. A lot of algebras of concurrent processes have been 
given, e.g. ACP [3], CCS [12] or CSP [11]. Hence, one might ask why we develop a 

A.M. Haeberer (Ed.): AMAST'98, LNCS 1548, pp. 278-292, 1998. 
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new calculus instead of using an existing one. The answer lies in the specific 
requirements of processes needed for scheduling: A scheduling calculus must include 
the notion of time, the concept of durational actions and the possibility to delay an 
action arbitrarily. 

Time has been incorporated into the calculi mentioned above (ACP [2], TCCS 
[13], TCSP [14]), but generally employing instantaneous actions. Durational actions 
are treated in [1, 10], for example, but these approaches do not allow actions to be 
delayed (or in the case of [10] only to wait for a synchronization partner). This means 
that in “a II b” actions a and b are always executed simultaneously whereas in 
scheduling they might as well be run sequentially in either order. In e.g. [4, 6], and in 
various references quoted in [6], semantics are given that allow for arbitrary delays, 
but they are not accompanied by an axiomatization. Moreover, nowhere in the process 
algebra literature a concept of efficiency is formalized resembling the one of [7]. 
Hence, a new algebra is necessary. We call it scheduling algebra and develop its 
theoretical framework in the following sections. 

An example process is given in fig. 1. Its algebraic term is: a; (b II c; d) II e. 

b e 




c > d 



Fig. 1. Example process 



anchor points 




0 



Fig. 2. GANTT diagram 

To visualize a schedule, the so-called GANTT chart [5] is used (see fig. 2). It depicts 
every action as a box labeled with its identifier. The length of the box indicates the 
duration of the action, and the placement of the box shows exactly when it takes 
place. In the scenario of fig. 2, actions a and d start simultaneously (on different 
processors), whereas c is executed immediately after a (and b after d). For the 
additional action e, the arrows indicate possible placements. 
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Anchoring and Efficiency 

A full-fledged scheduling problem consists of a specification, determining a set of 
valid schedules, some resource constraints, saying that certain actions cannot overlap 
in time, and a goal function, specifying how satisfactory certain schedules are. The 
objective is then to find an optimal schedule among the valid schedules that satisfy 
the resource constraints. Here we deal with scheduling problems in which the goal 
function and resource constraints are unspecified. We are interested in describing the 
valid schedules, and in finding, among the possibly infinite assortment of valid 
schedules, a finite subset, as small as possible, that for any choice of resource 
constraints and goal function contains an optimal schedule. In this quest, as is usual in 
scheduling theory, we limit attention to goal functions that do not favor spending idle 
time: a valid schedule, meeting the resource constraints, cannot improve by moving 
an action forwards in time. 

A schedule is called efficient (or semi-active) if it is valid and no actions can be 
moved backwards in time without violating validity or some hypothetical resource 
constraints. For the types of scheduling problems studied in this paper, as well as 
elsewhere in scheduling theory, every schedule can be “improved” to an efficient 
schedule by moving some of its actions backwards in time (cf. [7, theorem 2.1]). 
Depending on the goal function, this may not be a strict improvement, but it is never a 
regress. Thus the efficient schedules form the subclass of schedules sought above. 
However, in order to be of practical use, a more explicit characterization of the 
efficient schedules is needed. 

We call a schedule anchored if each action starts either at time 0 or at the 
termination time of some other process. Fig. 2 depicts an anchored schedule. If the 
execution times for the actions a to <7 is already given as indicated, an additional 
action e may start at time 0 if it does not use a resource required by either a or d. If e 
conflicts with a but not with d, it may begin execution upon termination of a (as 
drawn in fig. 2). So in total we have five possibilities for the starting time of e: 0 or 
the termination time of a, b, c or d. We call these points in time anchor points. 

It is easy to see that every anchored schedule s is efficient. If the resource 
constraints say that any two actions that do not overlap in s cannot overlap at all, it is 
impossible to preserve these resource constraints by moving actions backwards. 
Moreover, a goal function could be chosen that makes every schedule in which even 
one action takes place later than in s less attractive than s itself, no matter what 
happens to the other actions. Conversely, for a special class of scheduling problems it 
is shown in [7] that all efficient schedules are anchored, i.e. that every valid schedule 
can be turned into a valid anchored one by moving actions backwards in time. Here 
we are interested in scheduling problems for which the same holds. For these the 
efficient schedules are exactly the anchored ones, and our efficiency operator can be 
implemented as an anchoring operator. 



Syntax 



Let A be a set of atomic actions (external actions), and let T be the set of positive reals 
including zero. A pair (a, t) of Ax 7 written as a{t) is called a time-stamped action or 
activity. It indicates that action a takes t units of time (the duration of a). The 
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elements t of T also denote internal time actions which can be seen as silent steps 
(t, t). 

Process terms can be constructed using the constants 

£ denoting the empty process, 

a{t)* G AxT denoting the starting of action a with duration t, 

the unary operators 

a(t)- Sequence, a{t)- x meaning that x starts immediately after the 

execution of a, i.e. at time t, 

t- Time offset for tsT, in t- x the starting time of the actions in x is 

delayed by t time units and an anchor point at time t is added, 

A Arbitrary delay operator, meaning that the prefixed process can be 

postponed indefinitely, 

[.] Delay elimination, deleting every occurrence of the delay operator 

from the enclosed term by attaching the processes prefixed by A to 
every possible anchor point, 

and the binary operators 

u Choice’, x u y denotes the execution of either x or y exclusively, 

f forking of time (‘HiihnerfuB’ or ‘chicken claw’), an urgent parallel 

composition; x k y means that the initial actions of both x and y 
start at the same time. 

In addition, we use the following abbreviations: 

a(r); (causal) precedence, a unary operator expressing linear order, so 

a(t)’, X says that x has to be executed some time (but not necessarily 
immediately) after completion of a. We have: a(t)’, x = a(t)- A x. 

II concurrence, a binary operator expressing independence of 

processes. We have: x II y = Ax A Ay. 

The binding precedence of the binary operators (from loose to tight) is: u, II and k. 
The unary operators bind tightest. 

Terms built from s, afY, a(t)-, t-, k and [.] denote unique schedules. Choice 
between various schedules is introduced by the operators u and A, and hence also by 
a(t)', and II. The delay elimination simply prunes some choices introduced by A. 

We take a, b to range over AxTuA, t, u, v to range over T and x, y, z to range over 
all process expressions. For convenience, we sometimes abbreviate the expression 
a(t) by a. Moreover, we leave out trailing e's in terms a(t)-z and t- s. 

Example: The expression a; b W c, d denotes two concurrent tasks, one executing 
first a and then b, and the other running c followed by d. Example schedules for the 
efficient process [a; b II c; d\ are shown in fig. 3. 
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a- c- b- d 
a- b kc- d 

a- i c- d kb ) 



a 


c 


b 


d 


a 


b 








c 


d 





a 


b 






c 


d 



Fig. 3. Example schedules 



As specification terms we consider processes P or [P] that contain no further 
occurrences of [.] and no direct occurrences of the sequencing operator a{t)-, although 
occurrences of a{t)\ are permitted. Let us call an occurrence of a{t)- which can not be 
regarded as an occurrence of a(t); tight sequencing. Tight sequencing can be encoded 
with the delay elimination operator, namely a(t)- b{t') = [a{t)- Ab{f)] = [a(t); b{t’)]. 
For these specification terms the argument of [7] showing that all efficient schedules 
are anchored applies, so that the delay elimination operator indeed describes 
efficiency. This need not be true for general processes. Consider for example the 
process A a(l)- b(l) II c(2). A valid schedule for this process specification is shown in 
fig. 4. This schedule is efficient because it is the shortest schedule for the given 
specification if we assume that b and c may not overlap due to a resource conflict. But 
at the same time it is not anchored because the starting time of action a does not 
coincide with the finishing time of any other action. 





a 


b 


c 





Fig. 4. An efficient schedule that is not anchored 



Axiomatic System 

The axioms of scheduling algebra are listed below. Please note that “+” refers to the 
real number addition. 
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X U (J u z) = (x u y) U Z 


A1 


XU y = yUX 


A2 


X U X = X 


A3 


(x A y) A z = X A (j A z) 


A4 


X A >> = >> A X 


A5 


Zero Axioms 


0- X = X 


Z1 


X A E = X 


Z2 


Distributivitv of choice 


t- (x u y) = t- XU t- y 


D1 


ACxU}") = A XU Ay 


D2 


xA(>>uz)= xA>>uxAz 


D3 


Normal Form Axioms 


a(t)- X = a(t)* A Px 


N1 


Px k(t+u)-y = P (x A u-y) 


N2 


Ax A Ay = A(x A Ay u y A Ax) 


N3 


Elimination of delay (anchor axioms) 


[x u y] = [x] u [y] 


AAl 


[a(ty A x] = a(ty A [x] 


AA2 


II 


AA3 


> 

II 


AA4 


[t-x A Ay] = [Px A y] u ?• [x A Ay] 


AA5 


[e] = e 


AA6 




284 



Rob van Glabbeek and Peter Rittgen 



Proposition 

The following equation follows from applying Nl, Dl, D3 and N1 in the given order: 

a- (x vj y) = a- X 'U a- y PI 

The distributivity axioms and PI indicate that we work in a linear-time setting. 
This is because we treat scheduling as a planning problem where all decisions 
(choices) are made prior to the execution of the process. 

Note that we do not have the axioms x u e = x and t- u- x = (t+u)- x. They are not 
sound because the terms on the left side introduce an additional empty schedule and 
an anchor point at t, respectively. 

Example 

Applying the axioms, the definitions and PI in a suitable order, we can compute the 
schedules for an example process specification. The penultimate equality shows the 
term in normal form (see below); the last equality gives the term in anchor form 
(explained later). Recall that we abbreviate a(t) by a, and that we leave out trailing e's. 

[a(iy,b(3) II c(2); r/(l) ] = 

[ A( a(l)- Ab{3) ) k A( c(2)- Ar/(1) ) ] = 

a"Al(Z7"A3(c"A2(rfAl))) u a"Al(c"Az7"A2(rfAl)) u 

a" A 1 ( c" A fo" A 2- 1 ( rf A 1 ) ) u a" A 1 ( c" A 2 ( A 3 ( cf A 1 ) ) ) u 

a* kl(c" k2(b* kief kh2))) u a* kl(c* k2(cf kl(b* k3))) u 

c"A2(a"A 1 (Z?"A3 (rf A 1 ))) u c" A 2 ( a" A 1 ( rf A ( Z?" A 1 - 2 ) ) ) u 

c"A2(a"Al(rrAl(fe"A3))) u c"A2(rfAfl"A(l(Z7"A3))) u 

c"A2(rf Al(fl"A(l(Z7"A3)))) u c"Aa"Al(Z7"AT2(ifAl)) u 

c"Aa"Al(ft"Al(rrAl- 1)) u c"Aa"A M (ft"A3 (rf A 1 )) u 

c"Aa"Al- 1 (rfAl (ft"A3)) u c"Aa"Al-l (rfA(Z7"Al-2)) 

a- b- c- d u a- c- b- d u a- c- d- b u c- a- b- d u c- a- d- b u c- d- a- b u 
a- { c- d kb) u a- {b- d k c) u c- {akd- b) u a- c- {b k d) u a- b kc- d u 
c- a- ( b k d ) u akc-(bkd) u a k c- b- d u a kc- d- b u c ka- b- d 

Normal Form Theorem 

All terms can be written in the form kJ A where 

^ "= a(tfkN 

I t- N for t 0 

I ^N 

I t-NkAN fort^^O 



s 
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This normal form theorem is proved by structural induction on terms. We show for 
every operator that the composition of terms in normal form again yields a term that 
can be expressed in normal form. 

The choice operator distributes over every other operator (D1 - D3, PI, AAl) so 
that it can always be moved to the top level. This and associativity (Al) and 
commutativity (A2) allow us to denote every term as a union of choice-free subterms. 
Prefixing a normal term with A or t- (for is by definition normal, as is e. Z1 takes 
care of terms 0- N. Using Z2, the constant a(t)* can be written as the normal form 
a(t)* k £. For a(t)- N, axiom N1 leads to the normal form 

a(t)- N = a{t)* k t-N. 

Delay elimination is straightforward with AAl - AA6. It remains to be shown that 
forking of normal terms can be normalized. Let K, L, M and N be normal terms. Then 

(a(ty A M) A A — ^ a(ty A (M A AO — ^ a(ty A A, 

eAa^^:^ a, 

where IH abbreviates induction hypothesis, and W denotes the normalization of 

M A A. For the remaining 3 normal forms we have to prove normalization only for the 
upper triangle of the following matrix (due to commutativity of forking), in which 
t, M>0: 



A 


uK 


AK 


maAal 


t-M 


N2 it<u), IH 


y 


A4, N2 (t<u), IH 


AM 




N3, IH, IH 


A5, A4, N3, IH, IH 


<1 






A4, A4, A5, A4, A4, N2 (t<u), N3, IH, 
IH, IH 



Table 1. Normal form proofs 

The proof proceeds applying the laws stated modulo commutativity (V means that the 
term is already in normal form). 



Semantics 



As a semantic model, we define schedules similar to the real-time execution 
sequences in [14]. Each expression maps to a set of possible schedules: 



[.]]: Expr^ 2 



lN^x^x^x2^x2^-(0) 



A schedule is a triple ct = ( ,57 ct,; ct^) where is a multi-set over triples (action, 
duration, starting time), CTj is a set of starting and finishing times and a set of 
anchor points (or finishing times), excluding 0. Because 0 is always an anchor point. 



















286 



Rob van Glabbeek and Peter Rittgen 



there is no need to record it explicitly; suppressing it turns out to have technical 
advantages. Typically, we leave out the brackets delimiting a„, CTj and i.e. 

l[a(l)-b(2)Xa(l)] = { < (a, 1, 0), (a, 1, 0), (fo, 2, 1) ; 0, 1, 3 ; 1, 3 > }. 
This schedule is interpreted as follows: 

• a(l) is started twice at time 0, 

• b(2) at time 1 (immediately after a), 

• the starting times are 0 and 1 (for a and b respectively) 

• and the anchor points are 1 and 3 (the finishing times of a and b respectively). 

Because Z1 yields a(l)- b(2) = «(!)• b(2)- 0 and the latter term has a starting time 3 
(for the internal action of duration 0), 3 can be regarded as a potential starting time of 
the process a(l)- b(2) as well. For this reason we include in CTj not only the starting 
times, but also the finishing times of actions. 

For two schedules ct and p, we write ctu pfor ( ct„u p ; CTjU p ; CTjU p ). The offset 
of a schedule by a fixed amount of time is defined by: 

CT + M = ( I (a, t,p+u) I (fl, t,p)GGg H ; { p + u I pGCTj } ; { p + u I pGCTj } ). 



The general definition of the semantics is as follows: 

I £ 1 = { < 0 ; 0 ; 0 > } (1) 

|[a(t)l = {<(a,t,O);O;0> } (2) 

I ait)-PJ = { < (a, f, 0) ; 0 ; {t}-{0} > u (a+t) I asm } (3) 

|[t-FI = {(0;O;{t)-{O}>u(a+O I asm } (4) 

|[AP] = {(0;O;0>u(ct + m) I ctgIFLmgT} (5) 

I[/’]l = {aG|[F] I a,ca,u{0} } (6) 

|[Fuei = |[Plu|[e] (7) 

IT’Aei = { CTUP I CTG|[F],pG|[e]| } (8) 



Note that this definition ensures that 0 g ct,, 0 g and c CTj, for all schedules ct. 

The Role of the Elimination Operator [.] 

A term not containing [.] represents a set of schedules, both efficient and inefficient 
ones. Delay elimination restricts attention to the efficient schedules, thereby 
eliminating all schedules known not to be optimal under any goal function or 
constraints. On the syntactical level, this corresponds to the elimination of A’s, which 
is achieved by the operator [.]. One might ask why this is not done implicitly, i.e. by 
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giving every term p the semantics of [/?]. The answer is that the following implication 
does not hold: 

I W ] = I M 1 ^ I 1 = I 1- ^ 

A counterexample to the implication can be constructed easily by setting: 

X = a(l)- b{\), 

y = a(l)- Afo(l), 
z = c(l). 

We then get: 

I [a(l> b(l)] 1 = { < (fl, 1, 0), (Z7, 1, 1) ; 0, 1, 2 ; 1, 2 ) } = I [a(l> A ^1)] J, 
but: 

< (a, 1, 0), (b, 1, 2), (c, 1, 1) ; 0, 1, 2, 3 ; 1, 2, 3 > g [ [a(l)- A^l) H c(l)] J, 

< (a, 1, 0), (b, 1, 2), (c, 1, 1) ; 0, 1, 2, 3 ; 1, 2, 3 > g [ [«(!)• b{l) II c(l)] ]. 

Correctness 

Axioms A1 to A3 are correct w.r.t. our schedule semantics because set union is 
associative, commutative and idempotent. Associativity and commutativity of multi- 
set union yield A4 and A5. Z1 and Z2 are explained by 0 and the empty set being the 
neutral elements of addition and (multi-)set union respectively, taking into account 
that 0 is already in CTj for every schedule ct. The correctness proofs for the remaining 
axioms can be found in [9]. 

Completeness w.r.t. A-free Terms 

In this section, we will prove completeness of the axiomatic system for A-free terms. 
The normal form theorem allows restriction to A-free normal forms, which, for 
example, arise from normalizing arbitrary terms of the form [P]. Each choice-free 
subterm of such a term corresponds uniquely to a set of only one schedule. 



Lemma 1. Let A be a term of the form 

N ::= a(tykN I t- N \ s, where t?^0. 
ThenllA] 1=1. 

Proof by structural induction: 

IIeII = l{<0;O;0>}l = 1. 

If A1 = { < 0 ; 0 ; {f}-{0} > u (a+t) I asm }■ 

So if I [ A] 1 = 1, then I |[t- A] I = 1. 

The case a(tY A A proceeds likewise. 
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Lemma 2. Let N, M be of the form stipulated above, then 
|[iV]] = |[M]] => A4, A5|-A?=M. 

Proof by structural induction: 

N = A A ... A A N' with N' = e or LF = t- N” with t>0, and 
M = A A ... A bJjiJ* A M' with M' = z or M' = u- M" with u>0. 

Let a be the unique schedule in |[A/J = |[Af]] . We have N' = s 0 ^ = 0 O M’ = s. 

In case W = M' = s we have 

CT„ = i (flj, q, 0), (a^, L, 0), . . ., (a„, 0) |} = {| (b^, u^, 0), (b^, 0), . . ., (b^, u^, 0) |} . 

Hence {| a^tX, a^X, ■■■, aJjX l} = 1 b^uX, b^uX, b^uj* |}, so in particular n = 
m. It follows that A4, A5 \~ N = M. 

In case Lf = t-N” and M' = u- M” we have 

[A] = { < (flj, tj, 0), (flj, L, 0), ..., (a„, 0) ; 0 ; t > u (a+t) I ctg|[A1 } and 

[Ml = { < (b^, Mj, 0), (b^, 0), ..., (b^, 0) ; 0 ; M > u (p+w) I pe|[M''| }. 

Again it follows that {| «„(0* |} = 1 b^uX, b^uX, ■■■, b^uj* &, so in 

particular n = m. Furthermore, we have u = t because t is the least anchor point in the 
unique schedule of [A/|, and so is u for |[M|. Finally, |[A'| = |[M''|, and therefore by 
induction A4, A5 H A' = M". Hence A4, A5 \~ N = M. 

Theorem. Let K, L be A-free normal forms with [A| = |[L| then 
Al, ..., A5 H K=L. 

Proof: Using Al, A2, A3, it suffices to show that for every choice-free sub term A of 
K there is a choice-free subterm M of L such that A4, A5 \~ N = M (and vice versa). 
By lemma 1, = (ct), so ct g [A| = |[L|. Again by lemma 1, there is a choice-free 

subterm M of L such that [M| = { ct } = [Af|] . Now, by lemma 2, A4, A5 \~ N = M. 



Anchor Form 

For every t-free term [P] we can eliminate [.] without introducing time offsets. 

P is t-free => 3Q: Q = [P] where Q contains neither [.] nor t- 

We call this the anchor form of a term because all schedules are given by just 
anchoring actions to the endpoints of others. The GANTT chart can be drawn easily 
from this form. 

Using a straightforward structural induction, one can establish that for every 
schedule ct of a f-free term we have 

VtGCT 2- 3(a> M, v)gct g. 1 = u + V with m > 0. (*) 
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Furthermore, employing N2, Z2 and again N2, we obtain 
t- (u- X kv- y) = t- s k (t+u)- X k (t+v)- y. 

Every term [P] can be written in a A-free normal form, which, using structural 
induction, Z1 and the law above, can be converted to a sum of terms of the form 

u- a.HXkuy a,(t,yk...ku,-a,it,y k A A ... k u^-s . 

Assuming P is t-free, (*) implies that for every Mj > 0 there exists aj g {1, ... k] such 
that u. = U. + t. and t. > 0. We will remove step by step the time offsets m/ in the term 
above, starting with the largest, until only time offsets 0- remain. The intermediate 
terms encountered during this process will always remain in the form 

M,- a,(tX k M,- a,(t,y A ... A M,- A A N^^,k...k m„- (**) 

where for every M; > 0 there exists aj g { 1, . . . fe} such that u^ = u. + t., t.> 0 and the 
contain neither time offsets nor occurrences of [.] or A. 

Let V > 0 be the maximum of { u^, u^, ... u^}, and lety g { 1, ... A:} be such that v = 
M, + f. and t, > 0. Using A4-5, we write all subterms u^- aiyt) and u^- with Mj = v as 
well as u.- afty at the right of the formula, thus obtaining an expression of the form 

u\- a\(t\y A mV a’yyy A . . . A a',(fX A k «v.- A . . . A w A k 

with K = u.- k v- k v- k ... A v- Using axioms N2 and Zl, K can be 

rewritten as u.- a.yty* kv-{M^kM^k ... k My and, with Nl, as u.- afiyy M^kM^k ... 

A My. This brings the term again in the form (**) and we can continue with the next- 
largest member of { u^, u^, ... m„ }. In the end, all remaining u.s will be 0 and Zl turns 
the term into the required form. 



Example 



Consider the term [ a; (b II c) II d ] where all actions consume one unit of time. 
Transformation of this term into its anchor form yields 19 possible schedules. They 
are shown in fig. 5 grouped into the three basic orders “a; (b II c)”, “a; A>; c” and “a; c; 
b” with the independent action d attached to an anchor point or inserted in front of or 
in between the other actions. 

This example might suggest that it is possible to convert a t-free term [P] into its 
anchor form without considering the duration of its actions. However, this is not 
possible in general: the anchor form of the term [ a(l); b{3) II c(2); d{\) ] that has been 

calculated in a previous example contains the schedule a(l) A c(2)- ( b(3) A d (\) ), but 
nota(l)- (K3) Acf(l)) Ac(2). 
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Fig. 5. All schedules 



Term Rewriting 

We show that modulo associativity and commutativity of choice and HiihnerfuB our 
axioms, when read from left to right, form a confluent and (strongly) normalizing 
rewrite system, provided that we add the rewrite rule [ait)*] — > a(t)* (which is 
derivable from the axiom system). If we drop the rewrite rule A3 (the idempotence of 
choice), the normal forms are exactly the normal forms in the sense of our normal 

form theorem, except that all subterms ait)* k s are replaced by ait)* (so a(t)* is a 
normal form for the rewrite system). In the presence of A3 the same normal forms 
apply, but without pairs of summands that are equal modulo A4 and A5. 

It is easy to check that such normal forms allow no further rewriting; the proof of 
the normal form theorem (but omitting the reverse application of Z2) shows 
essentially that all other terms can be rewritten into a normal form. Thus the rewrite 
system is normalizing. Here we omit the proof that it is even strongly normalizing; 
however, it involves only standard term rewriting techniques. 

Confluence for terms of the form [T"] follows immediately from the proof of our 
completeness theorem for such terms (because only the axioms Al-5 are involved in 
the completeness proof for A-free normal forms). Confluence for the entire rewrite 
system can be established by the Knuth-Bendix method, skipping pairs of overlapping 
redexes that lay within a term of the form [T"]. In the table 2, we review the relevant 
pairs of overlapping redexes. 

An implementation of the system without A3 can be found at the URL 

http : // WWW . uni-koblenz . de/ -rittgen/ SA. html . 



This applet generates the normal form for the axiom system given any term of your 
chosing. 
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A3 with Dl, D2 and D3 


trivial 


Z1 with Dl and N2 (in two ways) 


trivial 


Z2 with D3 and Z2 


trivial 


Dl with N2 (in two ways) 


trivial with D3 


D2 with N3 (in two ways) 


trivial with D3 


D3 with D3 


trivial 


N2 with itself 


OK 


N3 with itself 


OK 



Table 2. Overlapping redexes 



Conclusion 

In this paper, we have proposed a calculus for durational actions, namely scheduling 
algebra. The constants and operators of this algebra allow to specify process terms as 
a multi-tree order over actions with a certain duration. A normal form exists for each 
term which for A-free terms is unique modulo A 1-5. Using the axioms of this 
calculus, the set of all efficient schedules [T"] can be “computed” for any process P 
without tight sequencing. The operator [.] does so by generating a subterm (schedule) 
for any possible attachment of actions to anchor points, thus eliminating all time 
delays A. 

We established soundness of the axiomatic system w.r.t. a schedule semantics and 
showed that the algebra is complete for A-free terms (sets of schedules), such as arise 
from terms of the form [T"] . 

Currently, our calculus is designed for multi-tree precedence. To extend it to 
arbitrary orders (with more than one predecessor to an action), synchronization must 
be present in the algebra (as follows from the existence of partial orders which are not 
“series-parallel” [8]). This is left for future research. 
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Abstract. We propose an algebraic characterisation of the notion of coordina- 
tion in the sense of recently proposed languages and computational models that 
provide a clear separation between the modelling of individual software com- 
ponents and their interaction in the overall software organisation. We show 
how this separation can be captured in Goguen’s categorical approach to Gen- 
eral Systems Theory and borrow examples from specification logics, program 
design languages, mathematical models of behaviour, and coordination lan- 
guages to illustrate the applicahility of our algebraic characterisation. 



1 Introduction 

Several recently proposed languages and computational models, e.g. those discussed 
in [4], support the separation between what, in the definition of a system, is responsi- 
ble for its computational aspects and what is concerned with coordinating the inter- 
action between its different components. As explained in [12]: "(A) computation 
model allows programmers to build a single computational activity: a single-threaded, 
step-at-a-time computation; (a) coordination model is the glue that binds separate 
activities into an ensemble". 

The clean separation that is achieved between individual software components and 
their interaction in the overall software organisation makes large applications more 
tractable, supports global analysis, and enhances reuse of software. Hence, it is not 
surprising that the significance of this original work on “coordination languages” has 
now been recognised in areas of Software Engineering concerned with system con- 
figuration and architectural description languages [11]. 
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In this paper, we show how the separation between compntation and coordination 
can be captured in the framework of Goguen’s categorical approach to General Sys- 
tems Theory [13]. We capitalise on onr previous work on the formalisation of archi- 
tectural principles in software design [7], which was based on a formal notion of 
“coordination” that we wish to revise, motivate, discuss and put forward in a more 
comprehensive way. Examples are drawn from specification logics, concurrency 
models, parallel program design languages and, of course, coordination languages. 



2 Coordination in the Context of General Systems 

We start by illustrating the categorical framework that we have been adopting for 
modelling the development of complex systems, and then motivate the formalisation 
of “coordination”. 

2.1 The Categorical Approach to Systems Modelling - An Example 

The basic motto of the categorical approach to systems, as explained in [13], is that 
morphisms can be used to express interaction between components, so that "given a 
category of widgets, the operation of putting a system of widgets together to form 
some super-widget corresponds to taking the colimit of the diagram of widgets that 
shows how to interconnect them" [15]. As shown in [5,16], these categorical princi- 
ples can be used to formalise process models for concurrent systems such as transition 
systems, synchronisation trees, event structures, etc. We shall illustrate the approach 
using a trace-based model. 

A process alphabet is a finite set, and a process is a pair <A,A> where A is an al- 
phabet and A^T'’" is the language of the process, where 2''‘" denotes the set of infinite 
sequences over 2''. 

The alphabet models the set of actions in which the process may involve itself. 
Each sequence of events in the language of the process captures a possible behaviour 
of the process, where each event consists of a set of actions that occur concurrently 
during that event. The empty set of actions models an event of the environment. 

We take a morphism of process alphabets to be a total function, and a process 
morphism f:<Aj,Aj>—><A^,A^> as an alphabet morphism f:A,—>A^ such that, for 
every XA ^,f ’(X)eA„ where f ‘(X)(i)=f '(X(i)). 

The idea is that a morphism of processes captures the relationship that exists be- 
tween a system (target of the morphism) and any of its components (source). That is, 
every morphism identifies a component within a system. Hence, an alphabet mor- 
phism identifies each action of a component with an action of the system. Each such 
morphism / defines a contravariant mapping between the sets of events associated 
with each process/"'.- i. That is, each event in the life of the system is mapped 

to an event in the life of the component. The empty event arises when the component 
is not involved in that specific event of the system, which then acts as the environ- 
ment for the component. Finally, each behaviour of the system is mapped to one of 
the possible behaviours of the component. 
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Diagrams express how a complex system is put together through the interconnec- 
tion of simpler components. The colimit of such a configuration diagram returns the 
process that results from the interconnection. The simplest configuration diagram 
expresses the interconnection between two components via a third one: 



<A,A> 




<Aj,Aj> <\^ 2 > 

The colimit (pushout) of this diagram is calculated as follows: the pushout (amal- 
gamated sum) of the underlying diagram of process alphabets is calculated, returning 

A, 




A’ 



The alphabet A’ is obtained from the disjoint union of Aj and A^ through the quo- 
tient that results from the equivalence relation generated by the set of all pairs 
<f,(a),f2(a)> where aeA. That is to say, each action of A establishes a synchronisa- 
tion point for the component processes <Aj,Aj> and <A^,Ap>. 

The resulting process is then calculated over the alphabet thus computed by taking 
the intersection of the inverse images of the component behaviours: 

A’={1g 2*' : g;'(;t)eA.jand gj^’C^tjeA^} 

That is to say, the system thus configured can execute all the actions that its com- 
ponents can, subject to the synchronisations specified by the interconnection, and 
exhibits the behaviours that are allowed by both its components. 



2.2 Separating Coordination 

How can we talk about computation and coordination in the example above, and in 
what sense can they be separated? 

It seems intuitive to associate the “computational” part of the model to the set A of 
traces in the sense that this set is what captures the local behaviour of the process. 

It seems also clear that interconnection between processes, the “coordination” part 
of the model, is achieved through the alphabets. Indeed, in the proposed model, pro- 
cesses interact by synchronising at designated actions identified via morphisms from 
what we could call channels (or points of rendez-vous). These channels correspond 
to the middle process that we used in the previous example. 

It is not difficult to see that only alphabets are involved in interconnections. On 
the one hand, as we have seen, the alphabet of the process resulting from an intercon- 
nection is obtained from the pushout of the underlying diagram of alphabets. The 
behaviours of the processes involved do not interfere in this calculation. On the other 
hand, the behaviour of the middle process is not relevant for determining the behav- 
iour of the resulting process: the interconnection is expressed, completely, in the 
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alphabet morphisms that result from the pushout. This property is illustrated by the 
fact that every diagram of the form 



<A, A> 




admits the same pushouts as the diagram 

<A,2*“> 




Hence, for the purposes of interconnecting processes, it is sufficient to use middle 
processes whose set of behaviours is the whole language. That is to say, we can 
identify a precise class of channels from which any interconnection can be built. 
Notice that the fact that such channels have the whole language for their set of be- 
haviours means that they have no behaviour of their own, i.e. are “passive” and just 
transmit signals between components. Hence, they can be identified with alphabets. 

In this sense, alphabets represent the coordination part of the model. They provide 
the interfaces over which interconnections between components are established. We 
can then say that coordination is separated from computation, and that the trace model 
we described is “coordinated over alphabets”. 

2.3 Coordinated Formalisms 

Let us see how, from the example above, we can generalise a set of requirements for 
considering a category of systems, or abstractions of systems, to be “coordinated” 
over a given notion of interface. 

We shall take the separation between coordination and computation to be materi- 
alised through a functor mapping systems to interfaces. We require this functor to be 
faithful (injective over each hom-set), meaning that morphisms of systems cannot 
induce more relationships between systems than between their underlying interfaces. 

Consider given a category SYS (of systems) and a category INT (of interfaces) to- 
gether with a faithful functor int:SYS—>lNT. 

Which properties should we require of int that make SYS coordinated over INTI 
Basically, we have to capture the fact that any interconnection of systems is estab- 
lished via their interfaces. Part of this intuition can be expressed by the property that 
the coordination functor int lifts colimits. 

That is to say, given any diagram dia:I—>SYS and colimit (int(SJ^C)..j of (diafnt) 
there exists a colimit (S-^S).., of dia such that int(S-^S)=(int(S)^C). In other 
words, if we interconnect system components through a diagram, then any colimit of 
the underlying diagram of interfaces can be lifted to a colimit of the original diagram 
of system components. 

There are two aspects in this requirement that should be noted. 

On the one hand, lifting means that if the configuration of interfaces is “viable”, in 
the sense that it has a colimit (i.e. gives rise to a system), then so is the corresponding 
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configuration of components. Indeed, although the category of processes defined in 
2. 1 is cocomplete, meaning that every diagram admits a colimit and, hence, represents 
the configuration of a “real system”, not every category of systems needs to satisfy 
this property. The requirement that int lifts colimits means that the computations 
assigned to the components cannot interfere with the viability of the underlying con- 
figuration of interfaces. 

On the other hand, lifting of colimits also requires that the system that results from 
the colimit in SYS he mapped to the underlying colimit of interfaces. That is to say, 
the computations assigned to the components cannot restrict the interface of the re- 
sulting system, which is calculated through the colimit in INT. 

The inverse property requires that every interconnection of system components is 
an interconnection of the underlying interfaces. In particular, it requires that the 
computations do not make viable a configuration of system components whose un- 
derlying configuration of interfaces is not viable. This property is verified when the 
coordination functor int preserves colimits. 

That is to say, given any diagram dia:I—>SYS and colimit (S-^S).., of dia, 
(int(SJ^ int(S))..j is a colimit of (dia;int). This property means, using the terminol- 
ogy of [1], that all colimits in SYS are concrete. 

These two properties together imply that any colimit in SYS can be computed by 
first translating the diagram to INT, then computing the colimit in INT, and finally 
lifting the result back to SYS. 

Preservation and lifting of colimits are two properties that relate diagrams in INT 
and diagrams in SYS. We would now like that, similarly to what we showed for pro- 
cesses, interconnections of components can be achieved by using interfaces, or sys- 
tem components that “correspond” to interfaces (channels), as “middle objects”. The 
property that we have in mind is the existence of discrete structures for int as a con- 
crete category in the sense of [1]: 

For every interface C.TNT there exists s(C):SYS such that, for every morphism 
f:C—>int(S), there is a morphism g:s(C)—>S such that int(g)=f. 

That is to say, every interface C has a “realisation” (a discrete lift) as a system 
component s(C) in the sense that, using C to interconnect a component S, which is 
achieved through a morphism is tantamount to using s(C) through any 
g:s(C)^S such that int(g)=f. Notice that, because int is faithful, there is only one 
such g, which means that /and g are, essentially, the same. That is, sources of mor- 
phisms in diagrams in SYS are, essentially, interfaces. 

This property allows us to use graphical representations in which interfaces are 
used as connectors between components, a kind of “hybrid diagrams” that are more 
economical. For instance, in the previous section, discrete lifts are given by the pairs 
<A,2* >. Indeed, morphisms between alphabets A and B are exactly the same as 
morphisms between <A,2^ > and any process <B,A>. Hence, we could have used 

A 




to express the interconnection between Pj and P^. 
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Because int is faithful, the existence of discrete structures implies that int admits a 
left adjoint sys:INT—>SYS such that (1) sys(C)=s(C) for every C:INT, and (2) 
sys;int=idj^j. Hence, sys is a full embedding which means that, as illustrated in the 
previous section, interfaces can be identified with a particular subclass of system 
components: the subcategory of channels. 

In [7,8], we characterised coordinated formalisms precisely in terms of the exis- 
tence of a full embedding that is a left adjoint for the forgetful functor int. We feel, 
however, that the additional properties of preservation and lifting of colimits are 
equally important. They are the ones that establish that colimits in INT and in SYS 
have the same expressive power as far as interconnections of components are con- 
cerned. 

The existence of discrete lifts allows us to simplify the way in which we intercon- 
nect components by limiting “middle objects” to channels. Another consequence of 
this fact is that, being faithful, int preserves colimits. Therefore, the characterisation 
of coordination can be reduced to lifting of colimits and existence of discrete struc- 
tures. 

There is an observation that sheds additional light on the nature of the formalisms 
that we have been characterising. The fact that int lifts colimits and has discrete 
structures implies that SYS is “almost” topological over INT. To be topological [1], 
int would have to lift colimits uniquely, which would make the concrete category 
amnestic, i.e. the fibres of interfaces would have to be partial orders. As far as the 
algebraic properties of the underlying formalism are concerned, this is not a problem 
because every concrete category can be modified to produce an amnestic, concretely 
equivalent version. However, and although the process category discussed in 2. 1 is 
amnestic, we shall see two examples of concrete categories that are not topological 
but which we would still like to consider to be coordinated. 



2.4 Summary 

Definition: A functor int:SYS—>INT is said to be coordinated, and SYS is said to 
be coordinated over INT, ijf 

• int is faithful: 

• int lifts colimits; 

• int has discrete structures. 

Proposition: Let int:SYS—>INT be coordinated. The following properties hold: 

• int admits a left adjoint sys .TNT— ^YS which is a full embedding and satisfies 
sys;int=id,^j.; 

• int preserves colimits; 

• if INT is (finitely) cocomplete then so is SYS. 

Proposition: Every topological category is coordinated. 

This property tells us that the class of coordinated categories has many “interest- 
ing” categories. It also includes many categories that are “interesting” in Computing: 
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Proposition: Let THE, and PRE, be the categories of theories and theory presen- 
tations of an institution I [14], Both THE, and PRE, are coordinated over the un- 
derlying category of signatures. 

The same result holds if we work with *-institutions [6]. Recall that, in both cases 
of institutions and •-institutions, the objects of THE, consist of pairs <Z,<1>> where Z 
is a signature and d) is a set of sentences over the language of Z that is closed under 
consequence. Theory morphisms are signature morphisms that induce inclusions 
between the sets of theorems. Such categories are topological. 

However, if we take the usual definition of PRE, as having for objects pairs <Z,4>> 
where Z is a signature and d) is a set of sentences over the language of Z, not neces- 
sarily closed under consequence, and for morphisms all signature morphisms that 
induce theory morphisms between the presented theories (i.e. preserve theorems), 
then we obtain a coordinated category that is not topological. Indeed, the class of 
presentations over a given signature is not a partial order because any two presenta- 
tions of the same theory are isomorphic but not necessarily Identical. In practical 
terms, this means that colimits are not lifted uniquely from signatures to presenta- 
tions. 

We can also find plenty of examples of coordinated categories among models of 
concurrency, of which the model presented in section 2.1 is a particularly simple case. 



2.5 An Example from Coordination Languages 

In this section, we briefly discuss an example borrowed from coordination formal- 
isms: the language Gamma [2] based on the chemical reaction paradigm. 

A Gamma program P consists of 

• a signature Z=<S,^ >, where S is a set of sorts, Q is a set of operation symbols 
and n is a set of relation symbols, representing the data types that the program 
uses; 

• a set of reactions, where a reaction R has the following structure: 

R = X, tj, ..., t_,^ t’j, ..., t’__, <= c 

where 

• X is a set (of variables); each variable is typed by a data sort in S; 

• tj, ..., t_j— > t’j, ..., t’_^ is the action of the reaction - a pair of sets of terms 
over X; 

• c is the reaction condition - a proposition over X. 

An example of a Gamma program is the following producer of burgers and salads 
from, respectively, meat and vegetables: 

PROD = sorts meat, veg, burger, salad 

ops vprod: veg— >salad, mprod: meat— >burger 

reactions m:meat, m — > mprod(m) 
v:veg, v — > vprod(v) 

Parallel composition of Gamma programs, defined in [2], is a program consisting 
of all the reactions of the component programs. Its behaviour is obtained by execut- 




300 



Jose Luiz Fiadeiro and Antonia Lopes 



ing the reactions of the component programs in any order, possibly in parallel. This 
leads us to the following notion of morphism. A morphism ct between Gamma pro- 
grams Pj and Pj is a morphism between the underlying data signatures s.t. ct(Pj)cPj, 
i.e.,P 2 has more reactions than Pj. 

Concerning system configuration in Gamma, let us consider that we want to inter- 
connect the producer with the following consumer: 

CONS = sorts food, waste 

ops cons: food — >waste 

reactions f:food, f — > cons(f) 

The interconnection of the two programs is based on the identification of the food 
the consumer consumes, that is, the interconnection is established between their data 
types. For instance, the coordination of the producer and the consumer based on meat 
is given by the following interconnection: 



sorts s 




PROD CONS 



Gamma is, indeed, coordinated over the category of data types: 

• the forgetful functor dt from Gamma programs to data types is faithful; 

• given any diagram in the category Gamma, a colimit a.:(dt(PJ—^Z of the corre- 
sponding diagram in the category of data types is lifted to the following colimit of 
programs a.:(P^—><Z, u q(R,»),:r 

• the discrete lift of a data type is the program with the empty set of reactions. 

Notice, however, that we have extended the way in which Gamma programs are 

traditionally put together. Gamma assumes a global data space whereas we have 
made it possible for Gamma programs to be developed separately and put together by 
matching the features that they are required to have in common. This localisation 
further enhances the reusability of coordinated programs. 



3 An Example from Parallel Program Design 

In order to consolidate the definitions put forward in the previous section we shall 
now discuss an example drawn from parallel program design. 

The language COMMUNITY [9] is similar to IP [10] and UNITY [3]. Its definition 
has evolved over the years through experience gained in using it in different contexts. 
It is precisely the changes that were required to make it coordinated that we shall 
illustrate in this section. On the one hand, we feel that these changes reveal more of 
our intuition of what it means to be “coordinated”. On the other hand, they reflect 
some of the typical hesitations that one faces when designing formalisms, and for 
which the need to establish coordinated frameworks helps to make a decision. 
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3.1 COMMUNITY 

We assume a fixed algebraic specification <Z,<I>> representing the data supported by 
the language. That is to say, Z=<S,Q> is a signature in the usual algebraic sense and 
d) is a set of (first-order) axioms over Z defining the properties of the operations. 
Data types can be made local to each program but assuming them to be fixed simpli- 
fies considerably the presentation. 

A COMMUNITY program P has the following structure: 

P = var V 

read R 

init I 

do g: [B(g) ^ ^ a:=F(g,a)] 

where 

• V is the set of local attributes (i.e. the program "variables"); each attribute is typed 
by a data sort in S; 

• R is the set of read-only attributes used by the program (i.e. attributes that are to be 
instantiated with local attributes of other components in the environment); each at- 
tribute is typed by a data sort in S; 

• r is the set of action names', each action name has an associated statement (see 
below) and can act as a rendez-vous point for program synchronisation; 

• I is a condition on the attributes - the initialisation condition; 

• for every action gd" , D(g) is the set of attributes that g can change (its domain or 
write frame); we also denote by D(a) the set of actions in T that have the attribute a 
in their write frame; 

• for every action geT , B(g) is a condition on the attributes - its guard', 

• for every action geT and attribute aeD(g), F(g,a) is a term denoting the value that 
g assigns to a. 

An example of a COMMUNITY program is the following vending machine: 

VM = var ready, eat, drink: bool 

do coin : [— ireadyA(eatvdrink) — > ready:=tt || eat:=ff || drink:=ff] 

0 cake : [readyT^i (eatvdrink) — > eat:=tt || drink:=ff] 

0 coke: [readyT^i (eatvdrink) — > drink:=tt || eat:=ff] 

0 reset: [readyA(eatvdrink) — > ready:=ff] 

The machine is initialised so as to accept only coins. Once it accepts a coin it can 
deliver either a cake or a coke (but not both). After delivering a cake or a coke it can 
only be reset, after which it is ready to accept more coins. 

A morphism ct between COMMUNITY programs Pj and P^ consists of: 

• a map CTa:VjURj— >VjUR 2 ; 

• a map CTy:Fj— ^F^ 
such that, 

1. For every aeVjURj, sort(a)=sort(CTa(a)); 

2. For every ae V^, CTa(a)e V^; 

3. For every ae Vj, CTy(Dj(a))=D/CTa(a)); 

4. (hi (I,3a(g); 
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5. ForallgjeTj,ajGDj(g,), 

(ti Bj(CT(gi)) 3 (F/CT(g;),CT(aj))=(| F,(gj,aj))); 

6. Foreveryg,eF„4)i (B/CT(g,)) 3 CT(Bj(gj))) 

where i means consequence in the first-order sense, and ct is also used to denote the 
translation induced by the morphism over the language of the source signature. 

Condition 1 indicates that morphisms have to respect the sorts of the attributes. 
Condition 2 means that local attributes of a component must also be local within the 
system. It also allows read attributes of a component to become local in the system; 
this is the typical situation when the attribute being read by the component is local to 
some other component within the same system. Condition 3 does not allow actions of 
the system that do not belong to the component to change the local attributes of the 
component. Condition 4 means that the initialisation condition of the component 
must be respected by the system. Condition 5 means that assignments made by the 
component are preserved. Condition 6 means that guards cannot be weakened. 
These conditions capture what in the literature is known as superposition [3]. 

An example of a morphism is the identity mapping the program below to the 
vending-machine defined above: 



SW 



var ready: bool 

init -iready 

do coin : [— iready — > ready:=tt] 

Q reset : [ready — > ready:=ff] 



The morphism identifies a component within the vending machine, namely the 
mechanism that sets and resets it. Notice how new actions can be introduced which 
use the old attributes in the guards but cannot update them. The guards of the old 
actions can be strengthened and so can the initialisation condition. 

Is COMMUNITY coordinated? Over what notion of interface? 



3.2 Lifting Colimits 

When one is defining a logic, or a model for concurrency, the nature of interfaces 
seems pretty obvious because there is a clear separation between “syntax”, i.e. the 
identification of the symbols over which language is generated, and “semantics” in 
the sense of what is defining the “contents” of the individual components. 

In COMMUNITY, the choice is perhaps less clear. It seems obvious that a program 
signature will have to include the set of attributes (read and local) and the set of ac- 
tions. But what about the other features? 

One criterion for deciding what to place in a signature is the need to be able to lift 
colimits. Naturally, the more we put in signatures the easier it is for colimits to be 
lifted. However, we want to put in signatures as little as possible so that we end up 
with interfaces that are as simple as possible. As shown, for instance, in [8], this is 
important for facilitating the establishment of relationships like adjunctions between 
the interface categories of different coordinated formalisms. 
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It is not difficult to see that, if we consider that program signatures are triples 
<V,R,r>, we are not able to lift colimits. For instance, we cannot interconnect the 
following programs and by synchronising actions g^ and g^ in P^. 



P = do gj! [tt — > skip] 
D gr [tt ^ skip] 







Pj = var a: bool P^ = do g: [tt — > skip] 

do gj! [tt — > a:= tt] 

D gr [tt ^ skip] 

Such an interconnection of programs does not admit a colimit although the corre- 
sponding diagram of signatures clearly admits a pushout consisting of a local attribute 
a and an action g. This happens because the restriction on domains (3) applied to 
requires that the resulting synchronised action belongs to the write frame of a 
whereas, when applied to g^, it requires that it does not belong to the write frame of a. 

This example shows that, without including domains in signatures, it is not possi- 
ble to lift colimits. More concretely, it shows that what is being left in the computa- 
tion side of programs interferes with the interconnections. Indeed, action domains 
enforce locality of attributes and, therefore, constrain the interference that can exist 
between programs. That is to say, action domains are part of what in COMMUNITY is 
responsible for coordination and, therefore, must be part of interfaces. 

The suggestion, then, is that program signatures are triples <V,R,T> where T, 
rather than a set, is a 2'^ indexed family of sets (the index of a set is the domain of the 
actions in that set) and signature morphisms satisfy the equality of domains expressed 
in condition 3 of program morphisms. 

Notice that, in this case, the diagram of signatures obtained from the diagram 
above does not admit a colimit, meaning that the configuration is not viable. Indeed, 
we are attempting to synchronise two actions within a program, which may not be 
feasible due to conflicting types. 



3.3 Existence of Discrete Structures 

Consider now the need to define, for every program signature, its discrete lift, i.e. the 
program over that signature that can replace it when establishing interconnections 
with other programs. The condition that we discussed in section 2.3 basically means 
that such discrete lifts need to be “neutral” with respect to the computational aspects 
so as not to compromise the establishment of relationships (morphisms). A neutral 
initialisation condition is any tautology. The same holds for action guards. 

Assignments raise a more interesting case. Let ct:<V,R,T>— ><V’,R’,T’> be a sig- 
nature morphism, where <V’,R’,T’> is the signature of some program P’. For a to be 
a morphism from the discrete lift of <V,R,F> to P’ it is necessary that <I> i B’(<7(g)) ^ 
(F’(ci(g),CT(a))=o[ F(g,a)), for every aeD(g). 
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Clearly, given gd" and aeD(g), we cannot find a value F(g,a) that satisfies that 
property for any possible F’. That is to say, given an action and an attribute in its 
domain, it is not always possible to find a value for the assignment such that we can 
match any other assignment. 

Does this mean that we should shift assignments into signatures? 

Shifting assignments into signatures would mean that they are one of the factors 
that restrict the kind of interconnections allowed in COMMUNITY. This is indeed the 
case. For instance, we cannot interconnect the following two programs 

Pj = var a: {1,-1} = var a: {1,-1} 

do g:[bj— >a:=l] do g: [b^ — > a:=-l] 

by a middle object of the form 

P = var a: {1,-1} 

do g: {tt — > a:=e] 

in order to make them share attribute a and synchronise at action g. Indeed, the local 
assignments on a are conflicting, i.e. that there is no term e that can be mapped to 
both 1 and -1. 

Hence, it is only natural that we recognise that assignments are one of the instru- 
ments of coordination. Notice that we can, however, interconnect the signatures of 
the two programs through int(P) so as to produce the desired synchronisation. The 
problem is that the middle signature, consisting of local attribute a and action g with 
domain fa} cannot be lifted to a middle program. 

On the other hand, recognising this fact may make us feel uncomfortable about the 
model of coordination that we have defined. For instance, we might feel that the 
interference between the assignments is only a problem if the synchronised action 
occurs. The practical effect of guarding the equality between assigned values in con- 
dition 5 of morphisms should be to forbid the execution of the system action when- 
ever it is required to perform conflicting assignments. Hence, we might be interested 
in a model of coordination that would postpone the resolution of interfering assign- 
ments to execution time, allowing the configuration to be established. 

This means that we need to change our notion of program to allow for discrete 
lifts! This is exactly what happened between {9] and {7}. The solution we found was 
to introduce non-deterministic assignments. The assignment lifted from a signature is 
the universal one, i.e. it assigns the whole range of possible values, thus ensuring 
“neutrality”. In the case of the example above, we would use the program (channel) 

P = var a: {1,-1} 

do g: [tt— > a:G{l,-l}] 

together with identity morphisms for the interconnections. The program resulting 
from the interconnection is (see the summary section for details on the construction) 

P’ = var a: {1,-1} 

do g: [bjAbj — > a:G0] 

which is idle for as long as bj or b^ are false, and deadlocks when they both are true. 
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3.4 Summary 

The resulting coordinated category can be defined as follows: 

Definition: A program signature is a triple <V,R,P> where 

• V and R are S-indexed families of sets where S is the set of sorts. 

• r is a 2^ -indexed family of sets. We denote by D(g) the type of each g in F. 

All these sets of symbols are assumed to be finite and mutually disjoint. 

Definition/Proposition: Given signatures 9,=<V,,R,,r,> and 
signature morphism a from 6j to 6^ is a pair <aa:VjURj—>V 2 uR 2 ,(Ty:rj—>r> of func- 
tions such that, 

1. For every ae V,uR,, sort(a)=sort(acfa)). 

2. For every a eV,, aa(a)eVy. 

3. For every a eV,, crfD,(a))=Dfaa(a)). 

Program signatures and morphisms constitute a category SIG. 

Definition: A program is a pair <9,A> where 9 is a signature <V,R,F> and A, the 
body of the program, is a triple <I,F,B> where 

• I is a proposition over the local attributes (V); 

• F assigns to every action geT a non- deterministic command, i.e. F maps every 
attribute a in D(g) to a set expression F(a); 

• B assigns to every action geT a proposition over the attributes (V and R). 
Definition/Proposition: A program morphism a:<9j,A,>^<92,Ay> is a signature 

morphism a: 9,— >92 such that 

1. d>i(f=)a(I,)). 

2. Forall g,€T „a,GD,(g,),0i ff/af g, of a, j F,(g„aJ)). 

3. For every gjd:' j, (t>i (B^iaig,)) =r a(B,{gJ)). 

where 1 means validity in the first-order sense. Programs and superposition mor- 
phisms constitute a category PRO. 

Proposition: The forgetful functor sig mapping programs to the underlying signa- 
tures lifts colimits as follows: let dia:X—>PRO be a diagram and ( cysigj Sj—>9)y^ a 
colimit of (dia;sig); the colimit ofdia lifted by sig is characterised by: 

• the initialisation condition I is A fajlj I i:Xj; 

• given any action gd", B(g) is A jajBjg’)) I cr/gj=g, g’d"., i:Xj; 

• given any action g d" andaeD(g), 

F(g,a)= n fajFjgja’)) I CT,(gj=g, (rjaj= a, i:XJ. 

Proposition: The functor sig has discrete structures. The discrete lift for a signa- 
ture <V,R,r> is the program defined by: 

var V 

read R 

init tt 

do g:[tt^ II a:esj 

g r ° a D(g) 

where s^ is a term expression denoting the whole set of elements of sort a. 
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4 Concluding Remarks 

In this paper, we proposed a formalisation for the property according to which a 
framework for system design supports the separation between computation and coor- 
dination. We used Goguen’s categorical approach to systems design [13,15] as a 
platform for the formalisation. The perceived advantages of the proposed notion of 
coordination are the following. 

On the one hand, it provides us with a way of checking whether a given formalism 
supports the separation between computation and coordination, which we take as 
being a good measure of the ability of the formalism to cope with the complexity of 
systems. In the paper, we borrowed examples from specification logics, mathemati- 
cal models of behaviour, parallel program design languages and coordination lan- 
guages to illustrate these points, which shows that “coordination” is more that a prop- 
erty of “programming languages”, i.e. it applies to other levels of specification and 
design. 

On the other hand, because such an algebraic characterisation of coordination is 
independent of specific languages and models, it provides us with a framework for 
the integration of different formalisms for software specification and design that is 
based on relationships between their interaction models rather than their computa- 
tional paradigms (the latter being recognisably much harder to integrate). For in- 
stance, the earlier work reported in [7] provides a formal account of some of the con- 
tributions of “coordination” to the architectural approach to software design [17]. It 
also suggests ways of extending the expressive power of current architectural de- 
scription languages by supporting heterogeneous connectors, i.e. connectors in which 
the roles and the glue are not necessarily described in the same formalism. In a re- 
lated context, the work reported in [8] shows that interconnections between programs 
can be synthesised from interconnections between their specifications in “coordi- 
nated” frameworks. It also characterises a stronger notion of compositionality in 
which implementation of computations is decoupled from coordination aspects. 

Work is now in progress towards studying the impact that coordination may have 
on the analysis of behavioural properties of systems, as well as on the characterisation 
and analysis of the behavioural properties of configurations of systems. 
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Abstract. In this paper we present a strategy for combining processes 
belonging to the same hardware or software component (cluster), in the 
context of hardware/software partitioning of a system. The strategy takes 
as input an Occam description of a system. This description is the paral- 
lel composition of the system components in a predefined form, together 
with annotations that indicate how the processes, in each cluster, must 
be combined: by serialisation or by parallelisation. The description given 
as input can be seen as a binary tree. The strategy to combine processes 
is based on the reduction of possible configurations in that tree, by us- 
ing transformation rules which are provable from an algebraic semantics 
of Occam. 



1 Introduction 

Hardware/ Software Co-design is the design of systems comprising two kinds of 
components: specific application (hardware) components and 

general programmable ones (software components) . The decision about which 
parts of the system will be implemented in hardware or in software is charac- 
terised as the partitioning problem. Partitioning is a well-known NP-complete 
problem, and thus, some heuristic algorithms to perform the hardware/software 
partitioning have been developed Recently, some works have 

suggested the use of formal methods to validate the partitioning process. How- 
ever, none of them includes a formal verification that the partitioning preserves 
the semantics of the original description. 

In jSj Barros and Sampaio present some initial ideas towards a 
partitioning approach whose emphasis is correctness. The proposed approach 
uses occam^ as the description and reasoning language, and suggests that 
partitioning can be characterised as a program transformation task. This 
work was the seed of the PISH project P], whose goal was to develop an envi- 
ronment for hardware/software co-design that comprises all the steps from the 
partitioning of the system into hardware and software components to the layout 
generation of the hardware. 
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The ideas suggested in 0 were illustrated through a case study but no formal 
strategy to perform the partitioning was presented. In nn Silva et al. give a 
more precise characterisation of the partitioning process, which clearly separates 
correctness from efficiency issues. The proposed approach comprises four phases: 
splitting, classification, clustering and joining. The major contribution of the 
work reported in HH is the complete formalisation of the splitting phase, which 
transforms the input description into a set of parallel processes in a normal 
form, suitable for classification and clustering analysis. The formalism employed 
is Occam and the algebraic laws that define its semantics M- 

This work further develops the ideas described in |4I I Yj and presents a strat- 
egy for the joining phase, in which the processes belonging to the same cluster 
are effectively combined. This strategy is based on algebraic transformations, 
and deals with a subset of the Occam language which does not include iteration. 

This paper is organised as follows: after presenting the relevant subset of 
Occam (Section El, the partitioning process is described (Section E|- Then we 
present the strategy for the joining phase (Sectional. Finally, Section El sum- 
marises the contribution of this paper, briefly describes the environment that 
implements our partitioning strategy, and discusses topics of further research. 



2 A Language of Communicating Processes 

The goal of this section is to present the language which is used both to describe 
the applications and to reason about the partitioning process itself. This lan- 
guage is a subset of occam, defined by the BNF-style syntax given below. For 
convenience, we 

sometimes linearise Occam syntax in this paper. For example, 
we may write SEQ(Pi, P 2 ,..., Pn) instead of the standard vertical style. 

P : := SKIP I STOP I x : = e I ch ? x I ch ! e 

I IF (ci Pi, C 2 P2, ..., Cn Pn) I ALT (Ci&gl Pi, C 2 &g 2 P2 Cn&gn Pn) 

I SEQ (Pi, P2, ..., Pn) I PAR (Pi, P2, ..., Pn) 

I VAR x: P I CHAN ch: P 

In what follows we give a short description of these commands (for more 
details see, for example, HSl). The SKIP construct has no effect and always ter- 
minates successfully. STOP is the canonical deadlock process which can make no 
further progress. The commands x := e, ch ? x and ch ! e are assignment, 
input and output commands, respectively; the communication in occam is syn- 
chronous. The commands IF and ALT select a process to execute, based on a 
condition (IF) or on a guard (ALT). The commands SEQ and PAR denote the 
sequential and parallel composition of processes, respectively. Processes within 
a PAR constructor run concurrently, with the possibility of communication be- 
tween them, and cannot share variables. The constructs VAR and CHAN declare 
local variables and channels, respectively. Here we avoid mentioning a particular 
type for the declared variables or channels. 
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The main reason for choosing Occam as the description language is that Occam 
obeys a set of algebraic laws which can be used to carry out program 

transformation with the preservation of semantics. For example, in what fol- 
lows, Law 1 and Law 2 define the symmetry and the associativity of the PAR 
constructor, respectively; Law 3 expresses the associativity of the SEQ construc- 



tor. 

Law 1 : 


PAR (Pi, P 2 ) 


= PAR(P2 


Pi) 




Law 2 : 


PAR (Pi, P 2 , 


..., Pn) 


= PAR(Pi, PAR(P2, . 


.., Pn)) 


Law 3: 


SEQ (Pi, P 2 , 


.... Pn) 


= SEQ (Pi, SEQ(P2, . 


.., Pn)) 



3 The Hardware/Software Partitioning Approach 

The general structure of the partitioning approach adopted in this work is de- 
picted in Figured The target architecture underlying this approach includes a 
single software component and an arbitrary number of hardware components, 
which can exhibit distinct degrees of parallelism. 




Fig. 1. The partitioning phases. 



As mentioned in Section ^ our partitioning approach accepts as input an 
Occam description of a system and carries out the partitioning in four phases: 
splitting, classification, clustering, and joining. There is a clear orthogonality 
between efficiency and correctness issues in our approach. The phases represented 
by white boxes (classification and clustering) are concerned with the efficiency 
of the partitioning process and are based on the work proposed by Barros |2|. 
The phases represented by gray boxes (splitting and joining) are related to the 
correctness of the partitioning process (in the sense of preserving the semantics of 
the original description) and have been originally suggested in 0. The splitting 
phase has been completely formalised in (m and the aim of this work is to 
present a strategy for the joining phase (Section^. 

To carry out partitioning, we extend the subset of Occam given in Section|2|to 
include six new constructors: BOX, CON, PARsw, PARhw, PARpar, and PARser. 
These constructors can be regarded as annotations useful for the partitioning 
process and have no semantic effect. For example, BOX P = P and PARsw P= 
PAR P. The BOX constructor allows user interaction and is used to indicate that 
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part of description must be considered as an atomic process, into which the 
splitting rules should not be applied. The cost of all processes included into a 
BOX constructor is analised as a whole by the clustering phase. This constructor 
is very useful, for example, when the designer knows beforehand that part of 
the description will necessarily be implemented in hardware, say to make use of 
existing hardware components. The CON constructor is an annotation for con- 
trolling processes, whose usefulness will became clear in the next section. The 
constructors PARsw and PARhw are used to indicate the software and hardware 
clusters, respectively. The constructors PARpar and PARser specify which pro- 
cesses should be parallelised or serialised, respectively. In what follows we give 
an overview of each partitioning phase. 



3.1 The Splitting Phase 

The goal of the splitting phase is to transform the original description into a set 
of simple parallel processes, with the normal form below: 

CHAN chi, ch2 chn : PAR(Pi, P2 Pn) (D 

The definition of simple process is given in HZ!- Here it is enough to mention 
that each simple process has at most one atomic process to execute, which can 
be either an assignment, a communication command or a BOX constructor. This 
level of granularity allows the analysis of every possibility of combining the com- 
mands of the original program, exploring the different ways of sharing resources. 
Furthermore, since PAR is a commutative operator in Occam, the normal form 
above allows the classification and clustering phases to analise all permutations 
for combining processes in hardware or in software components. 

To transform the original program into the above normal form a reduction 
strategy, given in ca, is performed. This strategy applies, to the original de- 
scription, algebraic rules which are derived from the basic laws of Occam. 

The description generated by the splitting phase has two major characteris- 
tics. First, each process is closed in the sense that all fre^ variables used and 
assigned in this process are declared locally. Moreover, for all pair of processes, 
a controlling process is introduced. The controlling process acts as an interface 
between each process under its control and the environment. 

To give an idea of some steps of the splitting strategy, consider the example 
of FigureE^a). For this simple example, the splitting strategy begins by applying 
Law 3 to transform this description into one in binary form, as shown in Figure 
ETb). After that, each named process is turned into one which is simple and 
closed, controlling processes are added, and the description is transformed into 
one in the form of Equation (1) (see Figure 0(e)). Observe that the process CSX is 
the controlling process of P8 and P9. Thus, although P8 and P9 are in parallel, in 
fact their execution is sequential: first CSX synchronises with P8 through channels 
chl3 and chl4, and only after that CSX synchronises with P9 through channel 
chl5. CP2 is the controlling process of P3 and P4, CSS is the controlling process 

^ If P is some Occam term and x is a variable, we say that an occurrence of x in P is 
free if it is not in the scope of any declaration of x in P, and bound otherwise. 
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of P6 and CS7, and so on. It might seem strange that processes originally in 
parallel (like P3 ’ and P4 ’ ) need a controlling process, but the introduction of 
this kind of controlling process is essential to maintain a desirable uniformity 
during the splitting strategy. 

For didactic purposes, we can represent the description generated by the 
splitting phase by using binary trees. The nodes of this tree are parallel processes 
and the edges represent the introduced communication between the controlling 
process and each process under its control. To distinguish processes of the original 
description from controlling processes, we represent the former ones by circles 
and the latter ones by boxes if they are sequential controllers, and by lozenges 
if they are parallel controllers. The leaves of this tree are always processes of 
the original description. This kind of representation will be used in the reminder 
of this paper. Considering Figure El the diagrammatic representation of the 
description shown in (e) is depicted in (c). 



(a) 

CHAN ch: 

VAR x,y,z: 

SEQ 

PAR(x:=2,y:=l) 


CHAN ch: 
VAR x,y,z: 
SEQ 


(C) 

J CSl 


CHANch, chl,...chl5: 
PAR 

PARsw 


PAR(x:=2,y:=l) 

SEQ 


1 CS5 


PARser(P9, P3, P4) 
PARhw 


y:= y + 2* X 
z := x*(x+2) 


y:= y + 2* X P6’ 

SEQ 




PARpar(P6, P8) 


ch ! X 


z := x*(x+2) P8’ 
ch ! X P9’ 




CSl 

CS5 


CHANch, chl,ch2,...chl5: 




(e) 



PAR 



CON(VARx,y,z:(SEQ(chl !x,y, ch2?x,y, ch3!x,y,z, ch4?y,z)) 

VAR x,y: CON(SEQ(chl?x,y, PAR(SEQ(ch5 !x, ch6?x), SEQ( ch7!y, ch8?y)), ch2!x,y)) CP2 
VAR x: SEQ(ch5?x, x:=2, ch6!x) P3 

VARy: SEQ(ch7?y, y:=l, ch8!y) P 4 

VAR x,y,z: CON(SEQ(ch3?x,y,z, SEQ(ch9!y,x, chlO?y, chi 1 !x,z, chl2?z),ch4!y,z)) CS5 

VAR x,y: SEQ(ch9?y,x, y:= y + 2*x, chlOIy) P6 

VAR x,z: CON(SEQ(chll?x,z, SEQ(chl3!x,z, chl4?z, chl5!x), chl2!z)) CS7 

VAR x,z: SEQ(chl3?x,z, z:= x*(x+2), chl4!z) pg 

VARx: SEQ(chl5?x ch!x) P 9 



Fig. 2. An example to illustrate the partitioning strategy. 



We use some auxiliary notations, useful for the next partitioning phases. USED 
and ASS stand for the lists of used and assigned free variables of the considered 
processes, respectively. INPUT and OUTPUT stand for the lists of input and output 
channels of the considered process, respectively. In the case of a controlling 
process, these lists are the union of the lists of the processes under its control. 
In addition, we give a label and a name for each process Q. The name is the 
concatenation of the identification and the depth of Q. The identifications are 
CSjCP and P, standing for sequential controller, parallel controller and process 
of the original description, respectively. The depth is an integer number that 
expresses the order in which Q is visited, when a depth-first search is applied on 
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the splitting tree. The label expresses the history of Q, by the concatenation of 
the names of all its ancestors in the splitting tree, beginning with the name of 
its father. For example, the complete representation of process P9 is given below. 

USED(x) :ASS() :INPUT() :0UTPUT(ch) :CS7CS5CS1:P9:VAR x:SEQ(chl5 ?x, ch!x) 

Observe that the names of the processes in the Figure 0e) attend the men- 
tioned notation. To refer to an arbitrary process, we use P (possibly with sub- 
scripts) to range over processes. 

3.2 The Classification and Clustering Phases 

After the splitting phase, the classification and clustering take place. The clas- 
sification phase establishes a set of implementation alternatives, for each simple 
process, whereas the clustering phase maps the simple processes to a hardware 
or software cluster, based on hardware heuristics which include the consideration 
of communication costs and the area/delay tradeoff. 

Figure El(d) illustrates a possible clustering result for the previous example. 
It indicates that the original description will now be implemented partially in 
software and partially in hardware. Moreover, it is required that processes P6 
and P8 be implemented in parallel, instead of their original sequential order. On 
the other hand, P3 and P4 should be implemented in sequence. 

3.3 The Joining Phase 

The clustering phase establishes the clusters composition, but does not effectively 
combine the processes into the same cluster. This is carried out at the joining 
phase, by applying algebraic rules to transform the description generated by the 
clustering phase into one in the form: 

CHAN chi, ch 2 ,..., ch„ : PAR(SW, Hi, H 2 Hr) (2) 

where SW and each Hg, 1 < s < r, are the generated clusters. Each Pi generated 
by the splitting phase (see Equation (1)) is in exactly one of these clusters. Note 
that in this way we capture the precise mathematical notion of partition. The 
SW, by convention, stands for the software process and each Hi for one hardware 
process. 

4 The Joining Strategy 

There are two major tasks to be performed during the joining phase: combining 
processes belonging to the same cluster in sequence or in parallel. The strategy 
to perform the combination should eliminate the local communication among 
processes, as well as auxiliary variables introduced during the splitting phase. 

Related to these tasks, there are two major problems to consider. Firstly, the 
serialisation of processes originally in parallel can introduce deadlock. On the 
other hand, processes originally in sequence can have data-dependency and the 
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parallelisation of these processes is not allowed in Occam. Also, the parallelisation 
of processes can eliminate deadlock, therefore changing the semantics of the 
input description. So, the strategy must check some conditions to avoid these 
two problems. We assume that the input description is deadlock free; we consider 
that deadlock absence of the input description is a separate concern which should 
be checked at an earlier stage - as part of the validation of the specification. Thus, 
we should be concerned only with avoiding introducing deadlock. 

Although the splitting strategy deals with iteration, the joining strategy de- 
scribed in this paper consider the subset of the Occam language presented in 
Section 0 

The joining strategy is based on the transformation and reduction of config- 
urations in a binary tree which represents the current description, by applying 
algebraic rules. There are two kinds of configurations to consider: basic and in- 
termediary. Sections o and lO present these configurations and some of the 
rules necessary to transform them, and Section ^31 describes the algorithm which 
guides the application of the rules. For didactic purposes, the joining rules are 
expressed in a diagrammatic version. We select one of these rules and show how 
it can be expressed as an equation relating Occam terms. The Occam description 
of the complete set of rules is given in m- In addition to circles, boxes and 
lozenges, a triangle is used to represent an arbitrary subtree. Moreover, if pro- 
cesses Px and Py are combined, we use the notation Px.y as the symbolic name of 
the new combined process. 



4.1 Basic Configurations 

Basic configurations are the ones that, after being transformed, reduce the size 
(number of nodes) of the splitting tree. A reduction is performed through the 
elimination of one controlling process and the combination of two brother pro- 
cesses, say Pi and P 2 . Figure0(a) shows the two possible basic configurations. 

Processes structured as in a basic configuration can be combined in sequence 
or in parallel. If, for example, these processes were originally in sequence and 
must be combined in sequence, the inverse procedure of the splitting phase can be 
directly applied. Otherwise, if they must be combined in parallel, it is necessary 
to guarantee that they have no data-dependency, as parallel processes in Occam 
cannot share variables. Rule 1 in Figure0(b) is used to parallelise two processes 
originally in sequence. The boolean function dependency, when applied to two 
arbitrary processes, say Qi and Q 2 , verifies the condition 

(ASS(Qi) U USED(Qi)) n ASS(Q2) A 0 or (ASSCQa) U USED(Q2)) n ASS(Qi) / 0 

and returns TRUE if these conditions are satisfied (Qi and Q 2 have data-depend- 
ency), and FALSE otherwise. The textual version of this rule is showed in (c) of 
the same figure, where the lists, the label and the name associated with each 
process are intentionally omitted. Notice that a function F is used to represent 
an arbitrary context which includes Pi and P 2 as subcomponents, as they can 
belong to a PARpar constructor in any level of the cluster hierarchy. The matching 
of the controlling processes is immediate; all controlling processes are in the 
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Fig. 3. Basic configurations. 



same level, the most external one (see Figure | 3 d)). The processes Pi and P2 
are combined if the conditions are satisfied, and during this combination the 
controlling process of Pi and P2 disappears. On the left-hand side of the equation 
of Figure 0 (c), Ri stands for the remaining processes into the PARpar constructor 
under consideration and R2 stands for the remaining clusters and controlling 
processes of the whole description. It is important to notice that every time the 
current tree is being transformed, it is necessary to update the labels and the 
names of the processes affected by this transformation. 

In the case of serialising two processes originally in parallel, the introduction 
of deadlock must be avoided. If Pi or P2 does not communicate directly with the 
environment through user declared channels (that is, one of them communicates 
with the environment only through their controller), there is no problem to 
serialise Pi and P2, in any order, since they operate on disjoint data spaces. This 
is syntactically ensured because Occam does not allow parallel processes to share 
variables. Nevertheless, if Pi and P2 have communication commands introduced 
by the user in the original description, it is necessary to check if there is any 
possible order in which these processes can communicate with the environment 
without introducing deadlock. This is performed by the function sequence CHI, 
which uses the information about the order of occurrence of all events in the 
system. Also, it may be the case in which Pi and P2 synchronise. In this case, 
the serialisation of Pi and P2 involves the elimination of internal channels, and 
can be achieved following the strategy suggested in 0 . 
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4.2 Intermediary Configurations 

Intermediary configurations are the ones in which the processes to be combined, 
say Pi and P 2 , are distant. We say that processes are distant if they are not 
structured in a basic configuration. There are three general patterns of interme- 
diary configurations: (1) the ones in which Pi has an arbitrary context F as its 
right brother and this context includes P 2 as a component (Figure 2Ia)); (2) the 
ones in which Pi has an arbitrary context as its left brother and this context 
includes P 2 as a component (Figure 2J(b)) and (3) the ones in which Pi and P 2 
are distant cousins (Figure 0(c)). Of course here we are not interested in the 
cases where particular instances of F reduce those patterns to basic configura- 
tions, since these have already been addressed in the previous section. Moreover, 
Figure 0shows only the patterns in which the controlling process of Pi and P 2 is 
sequential. Nevertheless, there are similar intermediary configurations in which 
the mentioned controlling process is parallel. 




(a) (b) (c) 



Fig. 4. Intermediary configurations. 



The aim of the transformations applied to these configurations is to ap- 
proximate Pi and P 2 . However, unlike in the case of basic configurations, these 
transformations do not reduce the tree. The rules applied in Cases (1) and (2) 
try to approximate Pi and P 2 by moving P 2 upwards and/or Pi downwards, until 
they can be structured as in a basic configuration. In Case (3), rules are applied 
to move Pi and/or P 2 upwards, until one of them becames the grandson of the 
common ancestor of Pi and P 2 . (The sons of the common ancestor must be con- 
trolling processes, otherwise we are considering Case (1) or (2). These promotion 
rules are very similar to the ones applied in the moving upwards procedure of 
Cases (1) and (2).) Then, a transformation rule is applied to structure Pi and 
P 2 as in Cases (1) or (2). For conciseness reasons, in what follows we will focus 
on the approximation procedure of Case (1). The other cases are extensively 
described in ps|. 

4.2.1 The Approximation Procedure of Case (1). The approximation of 
processes Pi and P 2 when they obey Case (1) may involve three procedures: the 
transformation procedure of stop configurations, the moving downwards proce- 
dure of Pi and the moving upwards procedure of P 2 . Notice that at this point it 
does not matter whether Pi and P 2 will be combined in sequence or in parallel; 
only the reduction of basic configurations deals with this issue. 



An Algebraic Approach to Combining Processes 317 




(i) (ii) (iii) (iv) 




Fig. 5. Stop configurations of Case (1). 

The Transformation Procedure of Stop Configurations for Case (1). Stop con- 
figurations are configurations which can be directly transformed in a basic con- 
figuration. They can be considered as target configurations for the moving up- 
wards/downwards procedure. The stop configurations of Case (1) are depicted in 
FigureEI^a). Rule 2 in Figure EJb) is an example of the rules applied to transform 
stop configurations (in this case it transforms the stop configuration (i) of the 
same figure). This rule is justified by the associativity of the SEQ operator (see 
Law 3 of Section 2). 

The Moving Downwards Procedure for Case (1). The configurations showed 
in Figure 0 can occur during the moving downwards procedure applied to Pi. 
In addition to these configurations, it must be considered the ones in which 
(F(P 2 )) exchanges role with Q. Two of the rules applied to transform some of 
these configurations is given in Figure 0 




Fig. 6. Configurations for the moving downwards procedure in Case (1). 
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Rule 3 exchanges the sequential order between Pi and Q in configuration (a) 
of Figure 0 This can be done only if Pi and Q have no data-dependency and 
if this exchange does not introduce deadlock. The function sequence is used to 
verify if the serialisation of Q and Pi, in this order, does not introduce deadlock. 




Fig. 7. Four Rules for the moving downwards of process Pi. 

Rule 4 is a bit more complex, as the configuration (b) of Figure El can be 
transformed into two different ones, according to some conditions. Firstly, it is 
checked whether Pi and Q have no data-dependency. In this case, they can be 
placed in parallel during the moving downwards process. Otherwise, it is checked 
whether F (P 2 ) and Q can be combined in sequence without introducing deadlock. 
If neither of these conditions can be satisfied, the considered configuration is not 
transformed. 

The rule applied to transform configuration (c) is similar to the one applied to 
the configuration (b). To move down Pi in configuration (d) the commutativity 
of the PAR operator is used. 
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The Moving Upwards Procedure for Case (1). The configurations for the mov- 
ing upwards procedure are very similar to the ones for the moving downwards 
procedure. The only difference between the rules for this case and the ones for 
the moving upwards procedure is that the controlling processes transformed in 
the moving upwards procedure are the father and the grandfather of P 2 , whereas 
in the moving downwards procedure are the father and the brother of Pi. 



4.3 The Algorithm 

The algorithm to combine processes at the joining phase applies the rules pre- 
sented in Sections 14. 1 I a,nd l4.'/!l a,nd is composed of three main steps: resolution of 
the basic configurations of each cluster, resolution of the intermediary configura- 
tions of each cluster and some final transformations. The first two steps (which 
are the major ones) of the algorithm are described in what follows, while a more 
detailed version is given in m- Before presenting the algorithm of each step, we 
will describe the data structures and the procedures used by the algorithm. 

Data structures: Cli - cluster variable; Si = (Si,i,Si, 2 ,...,Si,m) - sequence where each Si,j 
is a a PARpar or PARser process of Cli . The order of the elements in this sequence follows 
the order of the nested levels of the cluster hierarchy, where the first element is the most 
internal PARpar or PARser process in the cluster hierarchy, and the last element is the 
most external PARpar or PARser process. The order of the elements in the same level 
of the hierarchy is irrelevant. If a cluster has no PARpar or PARser constructor, it has 
only one process Pi and so. Si is empty; Si,j = (Pi, P2,...,Pit) - is a sequence of processes 
belonging to a PARser or PARpar process; Li - sequence of pair of processes (Pi, Py) 
from Si^j, where Px is the brother of Py; L2, L3 and L4- sequences are all composed of 
pair of processes (Px, Py) such as the depth of any process in the current Si^j is not 
in between the depth of Px and that of Py. (This guarantees that closest processes are 
first considered during the combination procedure.) Furthermore, in L 2 the processes 
Pi and Py must be structured as in Case (1) of intermediary configuration, in L 3 the 
processes must be structured as in Case (2) and in L 4 as in Case (3); try Again and 
movellp - auxiliary boolean variables. 

Global Procedures 

function Reduce_Basic_Conf iguration(Px ,Py) : boolean 
begin 

apply the appropriate rule for combining Px and Py 
if the combination is successful then 
delete Px and Py from Si^ and add Px.y to 
return TRUE 
else return FALSE 
end 

procedure Unitary_Constructor (Si^j ) 
begin 

if Si_j becames unitary then 

apply either the rule PARpar P=P or the rule PARser P=P 
end 
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Step 1: Resolution of Basic Configurations. The purpose of this step is, for each 
cluster, to combine all processes which are structured as in a basic configuration. 
Observe that we consider any pair of processes only once during the algorithm. 
If the combination of these processes is possible, it is performed. Otherwise, the 
processes remain without any change. 

Algorithm of Step 1 

for each cluster Cli , i = 1 , 2 ,.. .,n do 
if Si is not empty then 

for each Si,j , j = 1,2 m do 

generate Li by finding the pair of brothers of 
while Li is not empty do 

let (Pi, Py) be the first element of Li 
delete (Px , Py) from Li 

if Reduce_Basic_Conf iguration(Pi ,Py) then 

add to Li each new pair of brothers (Px.y , Pz) 

Unitary_Constructor (Si^ j ) 

Step 2: Resolution of Intermediary Configurations. The purpose of this step is, 
for each cluster, to combine distant processes. These processes are structured as 
in cases (1), (2) or (3) of Section As mentioned before, we will concentrate 
the description in the resolution of Case (1). The other cases are fully described 
in m- To combine processes structured as in Case (1), first it is checked if the 
processes are structured as in a stop configuration, in which case a transformation 
rule, and after, a reduction rule are applied. Otherwise, the moving downwards 
and/or the moving upwards procedures are applied to approximate the processes. 

Algorithm of Step 2 

for each cluster Cli, i = 1 , 2 ,.. .,n do 
if Si is not empty then 

for each Si^j , j = 1,2 m’ do 

generate L2 , L3 and L4 
— resolution of case 1 
while L2 is not empty do 

let (Pi, Py) be the first element of L2 
delete (Px , Py) from L2 

set the variables tryAgain to TRUE and moveUp to FALSE 
moving downwards 

while tryAgain and not moveUp do 

if Pi and Py are structured as in a stop configuration then 
apply the appropriate stop configuration rule to 
structure Pi and Py in a basic configuration 
if the transformation is successful then 
if Reduce_Basic_Conf iguration(Px ,Py) then 
replace each occurrence of Pi and Py in L2,L3 and L4 by Pi.y 
set the variable tryAgain to FALSE 
else 

apply the appropriate rule for moving downwards, say Pi 
if the moving downwards is not successful then 



An Algebraic Approach to Combining Processes 321 



set moveUp to TRUE 
moving upwards 
while moveUp do 

apply the appropriate rule for moving upwards, say Py 
if the moving upwards is not successful then 
set moveUp to FALSE 
else 

if Px and Py are structured as in a stop configuration then 
apply the appropriate stop configuration rule to 
structure Px and Py in a basic configuration 
if the transformation is successful then 
if Reduce_Basic_Conf iguration(Px ,Py) then 

replace each occurrence of Px and Py in L2 , L3 
and L4 by Px.y 

set the variable moveUp to FALSE 

— resolution of case (2) 

— resolution of case ( 3 ) 

Unitary_Constructor (Si^ j ) 




CHAN chi, ch2,ch: (e) 

PAR 

PARsw 

VAR x,y,z:SEQ(x:=2, y:=l, ch!x, ch3!x,y,z, ch4?y,z) 

PARhw 

VAR x,y,z: SEQ(ch3 ? x,y,z, PAR(y y + 2*x, z:= x*(x+2)),ch4!y,z) 



Fig. 8. The application of the joining strategy to the example of Figure 0 



Considering the clustering result of Figure E^d), during the first step of the 
algorithm processes P3 and P4 are combined, as they are structured as in a basic 
configuration. At the second step, Rule 2 is applied to structure P 6 and P 8 in a 
basic configuration and after that Rule 1 is applied to combine these processes. 
The reduced tree is shown in Figure EJa), where, for didactic purposes, we use 
a symbolic name for the combined processes. Observe that it is not possible 
to put P 3.4 and P9 closer by moving downwards P 3 . 4 , as this process has data- 
dependency with process Ps.s- However, it is possible to exchange P9 with Pe.s, 
because they do not have data-dependency (see Figure EJb)). After that Ps ,4 
and P9 are structured in the form of the stop configuration (i) of Figure 0a) 
and Rule 2 is again applied. Finally, the processes are combined by applying a 
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serialisation rule for the basic configuration (i) of Figure Ela), resulting in the 
tree showed in Figure IHIJc). 

Final Considerations. These two steps of the algorithm are responsible for com- 
bine (when possible) all processes of a given cluster. However, to guarantee that 
the description generated after this step follows the clustering result, it is nec- 
essary some additional work, detailed in HSl. For example, if two processes into 
a PARser construct have not been combined in the previous steps (because they 
did not satisfy the conditions associated to the rules attempted), it is necessary 
to check if these processes really execute in sequence, as required. The labels of 
these processes are used for this purpose. Moreover, there might still be oppor- 
tunity for further transformations: inside each process, the inverse rules of the 
splitting phase are applied to re-compose the IP’s and ALT’s commands, which 
might have been broken at the splitting phase, and to linearise the SEQ and 
PAR constructors, which are in binary form. After that, the final description is 
generated, by adopting as a design decision the condensation of the remaining 
controlling processes with the software cluster. 

Considering the example of Figure |Hl the partitioned system (Figure |HKd,e)) 
is generated through the condensation of the remaining controlling process CSl 
with the software process (P3.4.9). Observe that the hardware and the software 
components are synchronising directly. However, some optimisations can still be 
performed. For example, it makes no sense receiving the values of the variables 
y and z at the end of the scope of the SEQ construct. This kind of optimisation 
is not considered in this paper. 

5 Conclusions 

The hardware/software partitioning approach described here characterises the 
partitioning problem as a program transformation task, and comprises four dis- 
tinct phases: splitting, classification, clustering and joining. The main contribu- 
tion of this paper is a formal strategy for carrying out the joining phase auto- 
matically. The processes belonging to the hardware and software components 
are effectively combined in this phase, by serialisation or by parallelisation. By 
checking some conditions, the strategy presented here avoids the introduction of 
deadlock. 

Because the output of the partitioning process in our approach is still an 
Occam program, it is possible to carry out simulations at a very early stage of 
the design. In other approaches to co-design 0 B|, the output of the partition- 
ing is only an indication of what should be done, but the final program is not 
automatically generated. 

One important point of our approach is the orthogonality between the ef- 
ficiency and the correctness issues of the partitioning, as mentioned in Section 
El An immediate consequence of this orthogonality is that we can reuse the 
same splitting and joining phases as part of several different strategies for hard- 
ware/software partitioning, provided of course the splitting granularity is ade- 
quate for the heuristics employed. Nevertheless, even for partitioning heuristics 
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that consider coarser granularity, the proposed BOX constructor may be used to 
encapsulate pieces of code for hardware/software partitioning analysis. 

We have briefly justified a few rules (like Rule 2 in Figure based on some of 
the basic laws of Occam, such as the associativity of sequential composition (Law 
3 of Section 0 . One immediate topic for further work is to formally derive each 
rule of the joining phase from the basic laws of Occam, like has been done for 
the splitting phase m- We also need to extend the joining strategy to consider 
replicated constructs and to deal with the optimisations mentioned at the very 
end of Section IQ The ultimate goal is to guarantee, by construction, that the 
splitting and joining strategies preserve the semantics of the original description. 

We are not aware of any other work which presents a formal characterisation 
of the partitioning problem as done here and in HH. Nevertheless, it is worth 
mentioning that the kind of algebraic framework used here has been used previ- 
ously to characterise and reason about a number of other applications !i4iuiimj . 
All these works can be regarded as applications of refinement algebra. 

We have developed an environment, the Partitioning Transformation System 
(ParTS), to carry out the partitioning automatically. It has been developed as 
an extension of OTS (the Occam Transformation System) |Z], which performs 
general transformations of Occam programs. While the basic laws of Occam d 
implemented in OTS are useful for program transformation in general, they 
express only simple transformations, and are not suitable to capture the parti- 
tioning problem. The aim of ParTS is to extend OTS with transformation rules 
for the splitting and joining phases, as well as the splitting and joining strategies. 
The current version of ParTS includes the implementation of all splitting rules, 
of the splitting strategy and of some of the joining rules. Each transformation 
rule is captured in ParTS by a function in the SML m language. The split- 
ting and joining strategies are also coded as functions, taking advantage of the 
pattern matching facilities of SML. 

Channels and local variables introduced during the splitting phase can inter- 
fere on the efficiency of the partitioned system. We are developing some opti- 
misations to guarantee that all local communication and local variables will be 
eliminated from the final description of the system. Moreover, the classification 
and clustering phases, during the cost analysis, deal with introduced variables 
and channels in a different way from the original variables and channels. An 
accurate analysis of the efficiency of the final system will be possible only af- 
ter developing some large case studies. In this paper we are emphasising the 
correctness issue of the partitioning process. 
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Abstract We propose a general categorical setting for modeling pro- 
gram composition in which the call-by-value and call-by-name disciplines 
fit as special cases. Other notions of composition arising in denotational 
semantics are captured in the same framework: our leading examples are 
nondeterministic call-by-need programs and nonstrict functions with side 
effects. Composition of such functions is treated in our framework with 
the same degree of abstraction that Moggi’s categorical approach based 
on monads allows in the treatment of call-by-value programs. By virtue 
of such abstraction, interesting program equivalences can be validated 
axiomatically in mathematical models obtained by means of modular 
constructions. 



1 Introduction 

In denotational semantics programs are interpreted in domains with suitable 
computational structure. For example, a domain for interpreting integer pro- 
grams with exceptions must include (besides integers) denotations for exceptions 
and allow case analysis. In the categorical semantics proposed in , the 

concrete structure of such domains is hidden behind the structure of a strong 
monad T, where TX is the domain of programs of type X. The advantage of 
describing program denotations in terms of the abstract structure of a monad 
is that a language can be extended with new computational features (e.g. a 
mechanism for exceptions or side-effects) and reinterpreted by just adopting a 
“more powerful” monad, without rewriting the old semantic equations. The com- 
putational lambda calculus (or computational metalanguage), the formal system 
associated in |Mog9I| with this semantics, features a type constructor T and an 
operator letT to compose programs of the form A ^ TB, parametric in A, with 
programs of type A, which live in the domain TA. 

The notion of composition implemented by letx corresponds to a call-by- 
value parameter evaluation in that programs are modelled by morphisms of the 
form A ^ TB, indexed by values in A, and they satisfy only a restricted form of 
substitution. On the other hand, call-by-name programs, which accept uneval- 
uated expressions as inputs, are modelled by morphisms TA TB, indexed 
by “computations” in TA. In the metalanguage composition of such programs 
works according to /3-reduction. Categorically, call-by-value programs compose 
in the Kleisli category of a monad T, while call-by-name programs compose in 
the base category. 
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Other notions of composition arise in computer science. For nondeterminis- 
tic partial functions, for example, the call-by-need discipline differs from call-by- 
value in that it is nonstrict, and from call-by-name in that different occurrences of 
a parameter are always assigned the same value. How do call- by-need programs 
compose? In the computational metalanguage one has no choice but treating 
nondeterministic call-by-need programs as a special kind of call-by-name pro- 
grams (the “additive” ones) and interpret them as morphism VA VB, for 
some power construction V. However, a more finely grained semantics can be 
obtained by interpreting programs as morphisms of the form A± VB and 
exploiting the relation between V and the lifting construction (_)_l to get an 
operation Zetp for composing such morphisms just like let-p composes strict pro- 
grams A — > VB. Similar operations leti^ are available for monads R and T when 
the structure of T extends, in a suitable sense to be explained below, the struc- 
ture of R. Such operations and the categorical setting in which they arise are 
studied in this paper. 

We propose a general categorical framework for modeling program composi- 
tion in which the call-by-value and call-by-name disciplines fit as special cases. In 
view of the relation between monads and algebraic theories, different notions of 
composition are obtained by distinguishing the algebraic structure with respect 
to which programs behave as homomorphisms. This approach gives a uniform 
account of different strategies of parameter evaluation capturing notions of com- 
position which do not accommodate naturally in the monadic setting of |M o IEI|. 
Common programming constructs such as exception handlers, pipes etc. can be 
interpreted in the proposed framework without exposing the concrete structure 
of the semantic domains. The benefits are twofold: On the one hand our frame- 
work allows an axiomatic approach to validation of program equivalences in large 
classes of models. On the other hand it allows property-preserving reinterpreta- 
tion of program constructs under model extensions, thus supporting a modular 
approach to denotational semantics in the spirit of |lVIog9(Ja| RJen95| . 

Synopsis. Section |21 discusses a motivating example. Section 0 gives a general 
categorical explanation of the constructions of Section|2|and presents a semantic 
framework which gives a uniform account of different disciplines of program 
composition in terms of the algebraic notion of homomorphism. The setting of 
Section 0 is further generalised in Section 0 where a weak theory of program 
composition is proposed; the theory features two operations, similar to the unit 
and lifting of Kleisli triples, of which simple equational properties are proven. 
Applications are described in Section 0 where these operations are used to define 
the semantics of common program constructs. Then properties of such constructs 
are derived axiomatically and shown to be preserved when models are suitably 
extended with new computational features. 

2 A Motivating Example 

The viewpoint proposed in this paper is that different strategies of parameter 
evaluation can be described in terms of how programs preserve computational 
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structure. In this section we discuss an example where semantic domains are 
provided by a composite monad T = Q°R. In such cases, an operation of pro- 
gram composition letlp is available, where only the structure of Q is preserved. 
Using such an operation for defining the denotational semantics of programs 
with side-effects (modeled by Q) and failure (modeled by R) we are able to val- 
idate program equivalences axiomatically. Observing that similar operations are 
available, with the same benefits, for monads which are not of the form Q° R, 
we look for the general semantic setting, subsuming monad composition, where 
such operations arise. This is done in the next section. 

In a language with side effects and a mechanism for aborting computation, for 
example, a construct handle (M, N) runs the program M and, if a failure occurs, 
makes a second attempt to produce a value by running N . Such a language may 
be interpreted in a cartesian closed category by mapping terms of type r to 
elements of ((|t] -I- 1) x S)^ , where S is some object of states. In particular: 



\handle{M , N)\ = As : S.case 7To(|M]s) ofinl{v). (mZ(u),7ri(|M]s)) 

mr{u). |lV](7ri(|M]s)). 

By using lambda abstraction and projections, this equation exposes the 
concrete structure of the domains of interpretation. Hence, it works fine for 
a toy language but not for more realistic ones where domains of the form 
((X -I- 1) X 5)^ may be inadequate to host programs. A more general presenta- 
tion of the semantics of failure handling can be given by using the computational 
lambda calculus as metalanguage. In any model where programs are interpreted 
in domains of the form QRX, where Q is an arbitrary monad and RX = A -|- 1 
we define: 



lhandle{M, N)l = letg z |M] in case z of inl{v). valQ{inl{v)) 

inr{u). |A]. (1) 

The case above is obtained when QX = {X x S)^ . Adopting interpretation 
dU, one can work formally in a suitable theory of the computational lambda 
calculus and validate program equivalences for any model of the above class. 
The following equation, for example, can be easily derived from the axioms of 
the calculus. 



handle {handle (L, M), N) = handle {L, handle (M, N)). (2) 

Unfortunately, there are perfecly reasonable models for exceptions where no 
valq and letq operations are available to implement the handling of an excep- 
tion. The monad TX = ((A x S') -|- 1)'^, for example, models a “dramatic” form 
of failure, in which the state is lost upon occurrence of an exception. Equation 
(0 should also hold for programs of this form, but we have no formal (i.e. ax- 
iomatic) means of proving this equivalence without exposing again the concrete 
structure of T. 



328 



Pietro Cenciarelli 



However, the monads R and T are related by two operations val^ : R ^ T 
and let^, the latter feeding programs of the form RA ^ TB with arguments 
of type TA, which do for T what valq and letq do for the monad QR. Given 
L : RA, M :TA and N : RA ^ TB, define: 



val^{L) = Xs : S. case L of ini {v). ini {v, s) 

inr{u). inr (u) 

let^ X M in N{x) = Xs : S. case M{s) of ini {v, s') . N{inl{v))s' 

inr{u). N{inr{u))so, 

where sq is some recovery state from which computation is resumed if a dramatic 
failure occurs. We can now define the semantics of dramatic exception handlers 
by just replacing valq with val!^ and letq with leti^ in (^, and the given proof 
of 0 goes through unchanged (see application . This approach is shown in 
Section 0 to yield a uniform interpretation of handle in a large class of models 
obtained by modular constructions: let H be an arbitrary monad and let RH 
be the monad {TH)X = {H{X x S))^] assuming that suitable operations val^ 
and let^ are given for interpreting failure in the computational setting of H, 
one obtains operations val^j^ and let^^ for reinterpreting failure in the more 
elaborate setting oi TH . 

For which monads R and T can we find suitable operations val^ and let^^ lift- 
ing i?-computation to T-computation? What equations should one expect such 
operations to satisfy? Associativity seems a reasonable assumption. Moreover, in 
the above example, val^ is a left unit for let^, that is: let^{val^) = id. On the 
other hand, it is not a right unit, that is, leti^{f) ° vali^ = f does not hold. If let!^ 
is to model a nonstrict form of program composition and the view is adopted 
that programs should form a category, this is a rather odd state of affairs. In 
the next section we look for a categorical picture to give us a convincing set of 
axioms for a general theory of program composition. 

3 An Algebraic View of Program Composition 

In this section we propose an abstract categorical setting, called extension set- 
ting, for interpreting program composition. The underlying algebraic intuition is 
explained by discussing the example of non-deterministic call-by-need programs. 

In the functional programming language Haskell programs are said to eval- 
uate their parameters “by-need.” Call- by-need differs from call- by- value in that 
application is nonstrict: A typical Haskell implementation of the Ackermann 
function, for example, would include a clause ack 0 n =1. Then, for a nonter- 
minating program loop, the term ack(0,loop) evaluates to 1, while it would 
fail to produce a result in Standard ML, where parameters are called by-value. 

Call-by-need also differs from call-by-name in the presence of nondetermin- 
ism. A sequential program may exhibit nondeterministic behaviour when inter- 
acting with the operating system. For example, many programming languages. 



An Algebraic View of Program Composition 329 



including Haskell, feature a library function GetTime which returns nondeter- 
ministically the current value of the system clock. Let the call ack(2 , GetTime) 
match the clause ack n m = ack (ack (n-1) m) (m-1). With a call-by-name 
discipline, as in the Algol- like language of riCTfi . this call would result in evalu- 
ating the second argument at different times, thus producing nonsensical results. 
Conversely, arguments that are called by-need are evaluated only once, if ever. 
The discriminating notion here is additivity. Let p and q be programs and let 
p or q be the program which runs either p or q, nondeterministically. A pro- 
gram f is called additive when f (p or q)=f (p) or f (q). Then, call-by-need 
and call-by-value programs are additive while call-by-name are not. 

The above discussion suggests an “algebraic” explanation of these three call- 
ing mechanisms. Consider an interpretation in the category Set of small sets 
of a simple nondeterministic language, where programs producing values in X 
are interpreted as elements of the finite powerset VX of X. Two operations are 
fundamental in the finite powerset construction: binary union, which we can use 
to interpret or, and emptyset, which we can use to interpret loop. In this set- 
ting, one can view call-by-value programs as homomorphisms with respect to 
both operations, call- by-need with respect to union only, and call- by-name with 
respect to neither. The following interpretation of the three calling mechanisms 
is based upon this observation. 

A nondeterministic program p(x), with a call-by-name parameter x, ex- 
pects an unevaluated expression as input. Therefore such programs correspond 
(roughly) to functions of the form VA VB, and p(q) is obtained by straight 
composition. On the other hand, if p is call-by-value, it must run on the results 
of its argument’s evaluation and produce nothing if q produces none. Therefore, 
such programs correspond to morphisms of the form A VB. Composition 
of such programs is obtained by exploiting the operation of Kleisli lifting (_)*’’ 
of the monad V, which maps morphisms A VB to morphisms VA —>■ VB. 
In particular, |p(q)] = |p]*’’|q]- In the computational metalanguage this is 
written: 



|p(q)l = let-p X <= |q] in |p]. 

Morphisms of the form f*"^ are strict and additive precisely because finite 
powersets are the free construction associated with the theory of semilattices. 
Semilattices are algebraic structures with a nullary operation 0 and a binary 
operation V satisfying the following axioms: 



xV X = X 
x\/ y = yy X 

X y {y y z) = {x y y) y z 
xy 0 = X. 

A monad providing the free construction associated with an algebraic theory 
is said to classify the theory. The correspondence between monads and algebraic 
theories in enriched categories is studied in fKP93llRob95j . 
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To model a call-by-need p, not only must we say how it behaves on values, 
but also what it can do when no value is produced in input. This can be done by 
interpreting p as a morphism A± VB, where A± = {X G VA \ card{X) < 1} 
and card{X) is the cardinality of X. Then, to interpret p(q), we look for an 
operation (_)* to return an additive, possibly nonstrict extension of |p] to VA. 

The idea is to split the finite powerset monad into two constructions, one for 
each operation of the theory of semilattices. First we consider the theory of 0, 
with no axioms. The free models of this theory in Set are given by the lifting 
monad (-)±. To “finish” the construction, we cannot use the finite nonempty 
powerset monad which classifies the theory of V, as VA ^ V'^{A±). In 
fact, we must consider this theory not in Set but in Set'^, the category of al- 
gebras of the monad (_)j_. An algebra {A, a) for this monad consists of a set 
A and a distingiushed element a G A. Homomorphisms from (A, a) to (B, b) 
are functions f : A ^ B such that /(o) = b. The free models of the the- 
ory of V in Set'^ are given by the monad (V'^,r],p,), where V~^ maps (A, a) to 
({A GVA\aG A}, {a}), rn^A.a){x) = {x,a} and = Uwgx Clearly, 

writing A± for the free algebra (Aj_,0), the underlying set of V~^{A±) is (iso- 
morphic to) VA. 

In fact, V is the extension of the monad V~^ along the forgetful functor 
Set'^ Set in the sense explained below. Similarly, the operation (_)*!=+, which 
lives in Set'^, extends to an operation (_)* in Set. In particular, (_)* maps func- 
tions Aj_ ^ VB to functions VA VB where /*A = |J{/(a;) | x G Aj_}. Then, 
call-by-need is modelled as: |p(q)| = |p]*|q]. Pretty-printing: 

Ip(q)l = Zetp X 4= |q] in |p]. 

Functions of the form /* are strict only when / is strict. Moreover, they are 
additive because (_)* extends the Kleisli composition of the monad V~^ which 
classifies the theory of V. 

The situation just described generalises as follows. We call extension setting 
a categorical picture 



C 




A 



M 



A 



where F -\ G are adjoint functors and M = {M, is a monad on A. Let 

R = {GF,r]^, p^) be the monad induced by the adjunction F H G on C, let e 
be the counit of this adjunction and let T be the functor GMF \ C ^ C. The 
latter is the right Kan extension of GM along G. The natural transformations 
rf" = Gr]^ F °r]^ and = Gp^ F °GMeMF = G{eMF)*^ endow T with the 
structure of a monad. Following |5t?7^ . we call such a monad the extension of 
M along G. This extension is unique in the sense of jSEZl §2]. 

We write settings like the one above as triples (F, G, M) and indicate with 
i?, T and e respectively the monad GF, the monad GMF and the counit of the 
adjunction F H G. We call C the base category of the setting. 
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Given an extension setting {F, G, M) on a base category C, we intend to 
interpret program composition by means of a family (_)* of associative operations 
of the form: 



{.)Xb-C{RA,TB)^C{TA,TB), 

extending M-lifting along G. More formally: we require that, for all morphisms 
h : FA — > MFB, f : RB TC and g : RA TB, the following holds: 

{Ghy = G{h*^) (3) 

r°5* = (r°5r ( 4 ) 

When the functor G is monadic, © requires (_)* to behave like (_)*“ on 
i?-homomorphisms. Since T extends M along G, this is to say that /* should 
preserve T structure whenever / preserves R structure. Note that the natural 
transformation l = Grj^ F : GF — > GMF in a setting {F,G,M) is a monad 
morphism from R to T, and that the equation i* = id follows immediately from 
( 0 . 

Example 31 Call-by-value and call-by-name. 

Given a monad T, an interpretation |p(q)] = |p]*|<z] of call-by- value pro- 
gram composition is obtained in the setting {Id , Id ,T), where R is the identity 
and (_)* = (_)*^. On the other hand, a call-by-name interpretation is obtained 
in any setting {F,G,Id), where R = GF = T and (_)* is the identity. These ex- 
amples are the “extreme” cases where R possesses all or nothing of the structure 
of T. The following examples show that intermediate cases are also interesting. 

Example 32 Call-by-need. 

Here we describe a setting, analogous to the finite powerset example developed 
earlier, relating the lifting and Hoare powerdomain monads in the category of 
epos. A similar picture can be drawn for algebraic epos. 

Let Cpo be the category of possibly bottomless epos. The Hoare powerdo- 
main V{A) of such a cpo A is the set of downward closed subsets of A ordered by 
inclusion. Empty set and union are the universal operations on V{A) satisfying 
the theory of semilattices, together with the axiom: xW y > x. 

One can split this construction in two steps as done for powersets. In particu- 
lar, let Cpo ^ be the category of epos with bottom element and strict continuous 
functions. This is the category of algebras of the lifting monad. If X is an ob- 
ject of Cpo'^, let V'^X be the cpo of nonempty downwards closed subsets of X 
ordered by inclusion and let ijx '■ X ^ X map x to {y\y < x}. The union 
operation makes of V^X the free {V}-algebra generated by X in Cpo^. That is: 
for any map f : A ^ B in Cpo , where B is endowed with an operation V sat- 
isfying the given equations, there is a unique V-homomorphism /f : A B 

such that °r] A = f. This gives to V'^ the structure of a monad which extends 

to V along the forgetful functor G-^ = Cpo^ Cpo. The operation (_)* such 
that f*X — U{/(a;) | x G X±} extends (-)*’=+ along G^. 
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Example 33 Composition of monads. 

Any two monads which compose give rise to an operation (_)*. Let R and Q 
be monads on a category C and let the natural transformation A : RQ A- QR 
be a distributive law of Q over R. The functor Q : mapping R- 

algebras a to Qa ° A has the structure of a monad which forms an extension 
setting {F^,G^,Q). The monad Q is the lifting of Q to associated with A 
(see lfjec69l L In particular, we have G^Q — QG^. The extension of Q along the 
forgetful functor G^ is the composite monad QR. In fact, we have G^QF^ = 
QG^F^ = QR. Note that the pair {F^, A) is a monad morphism Q ^ Q. 

Writing h*<^ = ° Qh and noticing that is the underlying natural trans- 
formations of p^, we see that the operation which is obviously asso- 

ciative, extends (-)*‘5 along the forgetful functor G^ . 

4 Notions of Composition 

In the previous section we developed some intuition on how a general operation 
(_)* to interpret program composition should look like and we wrote axioms to 
support our intuition formally. We assumed that such an operation, similar to 
composition in the Kleisli category of a monad, lives in an extension setting. 
Here we develop the theory of more general notions of composition, which need 
not belong to an extension setting. When they do, we prove that the equations 
of Section 0are satisfied. However, it is in the more general theory that we derive 
the properties that we expected to hold from our earlier discussion. 

Let R : C —>■ C he a functor, let T be a monad on C and let cr : i? ^ T 
be a natural transformation. Given h \ A ^ TB, 'we write : RA TB the 
morphism 

° a. 

Note that, when R has the structure of a monad and cr is a monad morphism, 
there is a forgetful functor G^ '. ^ mapping T-algebras {A, a) to R- 

algebras (A, a°a). In this case we have = G^h\ where W : F^A G„F^ B 
corresponds bijectively to h by the adjunction F^ H G^. 

Definition 41 Let R : C C be a functor and let T be a monad on a category 
C; a weak notion of composition is a pair (i, (_)*), where t : i? — > T is a natural 
transformation and (_)* is a family of operations: 

Q)Xb-C{RA,TB)^C{TA,TB) 

satisfying the following equations: for all f : RB TC, g : RA ^ TB and 
h: A^ TB, 

r°5* = (r°5r ( 4 ) 

K = h*F (5) 

We write (i, (_)*) : i? — > T for a weak notion of composition as above to make 
R and T understood. 
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Proposition 42 The operation (_)^ b ^ weak notion of composition is natu- 
ral in B. 

Proof. Let (t, (_)*) : i? — > T be a weak notion of composition; naturality of 
(_)^ ^ in S is expressed by the equation T f °g* = (Tf°g)*, where f : B ^ C 
and g : RA TB. Then, 

Tf°g* = {ri°fT°g* = {ii°f)*°g* = {{'n°f)*°gY = {Tf^g)*- 



Proposition 43 Weak notions of composition (r, (_)*) \ R ^ T satisfy the fol- 
lowing equations: 



i* = id T ( 6 ) 

r°g* = {r^gy ( 7 ) 

Th = {LoRh)*. (8) 

Proof. Note that l = pu- Let f : B ^ TC, g : RA ^ TB and h : A ^ B, 
i* = Vt = V* = 'idr; 

r^g* = fwg^ = if>gr = {r^gr-, 

Th = {goh)*op = {{r]oh)*oLy = {Thoty = {ioRh)*. 

Weak notions of composition (r, (_)*) : i? — *■ T in which i? is a monad on 
C and i is a monad morphism, often live in an extension setting. In fact, the 
forgetful functor Gt : induced by l often has left adjoint. This is 

always the case when C is Set |fj W85I 9.3]. In general, it is well known that Gt 
has left adjoint when has all coequalisers of reflexive pairs | fLinB9[ coroll. 1] . 
A sufficient condition for that to happen is that C has such coequalisers and T 
preserves them |Lin ^ coroll. 3]. 

If Gt has left adjoint we obtain an extension setting {F^', , M) where 

M is the monad induced on by the adjunction H G^. In this setting, 
G^MF^ = G^G,F,F^ = G'^F'^ = T. 

The following theorem shows the correspondence between weak notions of 
composition and operations satisfying i) and @ as in Section 0 

Theorem 44 Let (F, G, M) be an extension setting; a family of operations 
i-)\ B ■ C{RA,TB) — > C{T A,TB) satisfies (0) and ^ if and only if (t, (_)*) 
is a weak notion of composition, for some l such that l ° = rf^ . 

Proof. Let l = Gp^ F and let h : A ^ TB. Using the naturality 

of (-)*“, we have: 

h: = (pl^iTB^Rhy = {Ge*^BB°Gr,YBB^GFhy = 077^^5 oFh))* 

= GielfBB ° v¥tb ° Fhy^ = GeYfps ° G{vYtb ° Fh)*^ 

= pl^GiipPrBT^^MFh) = ploTh = h*F 
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[0^0] Let (t, (_)*) : R ^ T, with c°t]^ = if', be a weak notion of 
composition. For any / : RA ^ TB we have = / by easy calculations. 

Let h : FA ^ MFB, we have: 

{Ghy = {Ghor^^y = {Ghon^y- = oT{Ghor^^) 

= Gh^b - GMe mfb° GMFGh ° Tt]^ 

= Gmfb “ GMh o GMcfa “ GMFr]^ 

= G(m^b “ Mh) o GM{€fa “ Frj^) = Gh*^ . 

Definition 45 A notion of composition is a weak notion of composition 
(t, (_)*) such that, for all f : RA TB the following equation holds: 

r^i = f- ( 9 ) 

When working with sets, the inclusions la '■ A± — > VA of Section El do not 
satisfy ((2|) while they do in the case of epos (example E2l ■ Another strictly weak 
notion of composition is the pair of operation vali^ and leti^ defined in the 
introduction to model dramatic failure. On the other hand, m is satisfied in the 
models of interleaving of Application El 

The following results are used in the next section: 

Proposition 46 The operation ^ of a notion of composition is natural in 
A. 

Proof. Let (i, (_)*) : i? — > T be a notion of composition; naturality of (_)(4 g 
in A is expressed by the equation f*°Tg = {f«Rg)*, where / : RA -^TB and 
g : G —> A. Then, from (|S|) and (El we have: 

f*oTg = f*o o Rgy = (/* = Rgy, 

Proposition 47 Let (r, (_)*) \ R ^ T he a weak notion of composition and let 
i' : S ^ T he a natural transformation such that l = d °f for some natural 
transformation v. The pair ((.',(_)*^), where /*^ = {f°v)*, is a weak notion of 
composition S T. 

Proof. The associativity of (_)*'^ is an immediate consequence of the associa- 
tivity of (_)*. Moreover, let h : A ^ TB, 

h*r = {h*^ = (h*^ o d o f)* = {h*^ o y = h*^ o G = h*-^ . 

Proposition 48 Let (i, (_)*) : R T he a notion of composition and let 
V : R ^ S he a natural transformation with a right inverse, that is a natu- 
ral transformation v' such that v°v' = id. The pair {d , (-)*“^), where d = i°v' 
and f*’' is as above, is a notion of composition S T. 

Proof. It is a weak notion of composition by the previous proposition. More- 
over: 

f*''°d = {f °vy ° l°f' = f °v°f' = /. 
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5 Applications to Modular Semantics 

In |Mog9Uaj , a modular approach to denotational semantics is proposed, where 
mathematical models of computation are obtained by stepwise application of 
monad constructors. These are functions T mapping monads to monads and 
satisfying certain naturality conditions. Intuitively, the monad TT augments 
the structure of T with the machinery to interpret a new computational feature. 
For example, the constructor T such that {TT)A = {T{A x S))^ adds to T the 
capability of modelling side-effects. Monad constructors are studied in 




In |Mog90b| the notion of uniform redefinition is introduced to lift operations 
defined in a computational setting M to a new setting !FM. Let C(_) be some 
type scheme, let op : f{MA) be an operation defined for a monad M in a 
category C, let H : C — > C be an endofunctor and let T he a monad constructor 
of the form {TT)A = THA] op can be uniformly redefined for the monad TM 
as follows: 

{J^op)a = opha- 

This technique is not always applicable: when either T or op are not of the 
appropriate form, ad-hoc redefinitions must be sought. The above constructor 
for side-effects, for example, does not fulfill the requirements. Neither does the 
operation Ca.b '■ (A MB) x (MA — *■ MB) x MA MB used in |( 1M93I ex- 
ample 2.10] to perform case analysis on interleaving programs. In this section we 
propose a technique based on notions of composition which yields well behaved 
redefinitions of operations in both cases. 

We show that two benefits derive from using notions of composition to define 
operations in a computational setting M : on the one hand it allows properties of 
the operations to be formally derived without exposing (all of) the structure of 
M (thus for a large class of models); on the other hand it allows the operations 
to be redefined in cases where uniform redefinitions are not available, and their 
properties automatically preserved. 

Application 51 Reinterpreting failure in state models. 

Let R be the monad RA = A -|- 1. We say that a monad (_)*) has a 

structure for failure when it is equipped with a weak notion of composition 



(i, (_)*) : R ^ H and with a natural transformation p : H ^ H such that: 

L°inl =77 ( 10 ) 

f*or] = foinl ( 11 ) 

f* °fail = p° f°inr ( 12 ) 

f*° fail = fail (13) 



where fail a '. HA is the natural transformation L°inr. Intuitively, p{N) is the 
program running N after some recovery action. For example, p would be the 
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identity for HA = ((^+ 1) x S)^ while it would feed its argument with some 
recovery state for HA = ((^4 x S') + 1 )‘®. 

An operation handle a '■ H A x H A — > HA running its first argument and 
handling a possible failure with its second can be defined as follows: 

handle (M, N) = [77, N]* ° M. 

The following equations are satisfied by fail and handle in any structure for 
failure: 



handle {rj, N) = rj 
handle {fail, N) = p{N) 

handle {L, handle {M, N)) = handle {handle {L, M), N). 

In fact, handle {rj, N) = [r],N]*°ri = [rj,N]°inl = rj and similarly for the other 
equations. 

The signature HAxHA^ HA is indeed of the form (^{HA), which makes 
handle qualify for uniform redefinition. Not so however for the monad construc- 
tor IF mapping H to {TH)A — {H{A x S))^ . This constructor, however, extends 
to structures for failure as follows: 



{Tp)w = Xs.p{w{so)) 

{J-i)z = A s. letn ct <^= l{z) in vain {a, s) 

f^*w = Xs.let^ z ^ w{s) in case z of ini {a, s') . f {ini {a)) s' 

inr{u). f{inr{u))sQ. 

These operations are easily shown to satisfy the axioms (I10I13II . Thus, by suit- 
ably extending the action of the constructor IF to weak notions of composition 
i? — > Ff, operations such as fail and handle are automatically redefined in mod- 
els of computation with side-effects, in such a way that the relevant properties 
are also preserved. 

Remark. The operations val^^ and let!^ of Section Q are obtained by applying 
the constructuion just described to the identity notion of composition R ^ R. 

Application 52 Inwards monad constructors. 

Here we describe a class of monad constructors J" which have a canonical 
lifting of (weak) notions of composition i? — s- T to TR TT. In the next 
application we use this construction to obtain a reinterpretation interleaving in 
models of exceptions. 

We call inwards a monad constructor T such that: 

{TM)A = M{HA) for some functor iF, and 

pL^M = H ° Mp for some natural transformation p : HMH ^ MH. 
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Remark. The above condition on arises when composing monads with 

functors. Let H be a functor, let 77 ^ : Id ^ H he a natural transformation and 
let be rj^H°rj^ . There is a one to one correspondence between natural 
transformations p : HMH ^ MH satisfying 



p°rj^ MH = id 
poHr]^^ = 
poHp^^ = 

where is the natural transformation H ° Mp, and monads {MH, p) 

such that p° p^ HMH = p^H°Mp (see f,ID93j l. 

Proposition 53 Let the monad constructor {TM)A = M{HA) be inwards, and 
let (t, (_)*) R ^ T he a (weak) notion of composition. The pair of operations 
{lH, (_)*^), where = {-)*ha hb> ® (weak) notion of composition TR — *■ 

TT. 

Proo/ Associativity (and right unit) are inherited immediately form (t, (_)*). 
Let f \ A ^ THE, noticing that = {p° H f)*^ , we have: 

A*# = in" = {{p^Hfr-o,y = {p.Hfy-o,* 

= p^-TpoTHf = p^^ oTHf = /*™. 

Application 54 Reinterpreting interleaving in models of exceptions. 

In |M3| . the semantics of computation with interleaving is described in 
terms of the “resumptions monad” TA = pX.Q{A + X) and two families of 
operations 

ta : T A TA 

Ca,b ■■ {A TB) X {TA TB) xTA^ TB. 

from which interesting programming constructs can be defined, such as the op- 
erator pand of parallel composition described in ICen95l 7.3]. The operations t 
and C arise from a notion of composition (t, (_)*) : Id + T ^ T . Let oa be the 
isomorphism Q{A -|- TA) TA and let 7 a be its inverse. We define: 

l{z) = case z ofinl{a). a{val q { ini {a))) 
inr {u) . a{val Q {inr {u))) 
f*{w) = a{letq z ^ p{w) in 'y{f{z))) 

The associativity of (_)* follows easily from the associativity of (-)*®- Simi- 
larly, f*°i = f follows from /*Q 077*5 = As for 0, note that, for h : A ^ TB, 
we have: 



h^z) = case z of inl{a). h{a) 

inr {u).a{valQ{inr{h*'^u))) 
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and hence 

h*{w) = a{letQ z ^ 7(w) in case z of ini (a). j{h{a)) 

inr {u).valQ{inr{h*'^u))) 

= h*^w. 

Now, the operations r and C of mm can be defined as follows: 



t{w) = i{inr{w)) 

C{f,g,w) = {Xz. case z of ini (a), /(a) 

inr {u) . g{u)Y w . 

Noticing that rf" = i°inl, from ® and m one can easily derive the equations 



c{f,g,v) = f 

C(f,9,r) = g 
C{r], T,w) = w 

showing that r and C behave respectively as right injection and case analysis. 
The commutativity of the operator pand of p( ;ent)5| 7.3] can be easily derived 
from these equation and from the commutativity of an operation of nondeter- 
ministic choice. 

Let H be the functor HA = A + E, where E is some object “of exceptions.” 
Given a monad M there is a unique monad {MH, rj, p) such that g = H ° ini 
and p°p^HMH = H ° M p. This follows from the remark inES We write 

T the monad constructor for exceptions, mapping monads M to MH . 

The constructor T is inwards. Hence, applying Proposition E3I to the notion 
of composition Id + T —>■ T defined above, we get a notion of composition 
H + TH — > TH satifying (|2I). Then, noticing that the natural transformation 
[id + °inr, inr] : H + TH — > Id + TH has a right inverse ini + id, we 
obtain, by Proposition ESI a notion of composition Id +TH ^ TH to interpret 
interleaving in models constructed by T . Again, C and t are automatically 
reinterpreted in such models and the relevant properties are preserved. 



6 Conclusions 

We proposed a general categorical setting for modeling program composition in 
which the call-by-value and call-by-name disciplines fit as special cases. Call- 
by-need is also captured in this framework for nondeterministic programs; it 
is an interesting question whether call-by-need programs with side effects can 
be captured similarly. The proposed theory of program composition features 
two operations t and (_)*, reminiscent of the unit and lifting of Kleisli triples. 
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of which only weak properties are assumed. These are however enough to de- 
rive simple equational properties of common program constructs such exception 
handling and parallel composition. The paper argues that, by defining program 
constructs in terms of t and (_)*, not only can one validate program equivalences 
axiomatically for large classes of models, but also reinterpret the constructs when 
models are extended, preserving the truth of the relevant axioms. Since we are 
able to do this in cases where the uniform redefinition proposed in |Mog90b| are 
not available, our technique makes one step forward towards a modular approach 
to denotational semantics. The proposed technique is applied in KJenDHI to the 
semantics of Java, where we seek a modular proof of computational adequacy 
with respect to the operational semantics of IK JKb.W iJHI . 
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Abstract. One of the novel features of Casl, the Common Algebraic 
Specification Language, is the provision of so-called architectural spec- 
ifications for describing the modular structure of software systems. A 
discussion of refinement of Casl specifications provides the setting for 
a presentation of the rationale behind architectural specifications. This 
is followed by details of the features provided in Casl for architectural 
specifications, hints concerning their semantics, and simple results justi- 
fying their usefulness in the development process. 

1 Introduction 

A common feature of present-day algebraic specification languages (see e.g. 
pW8^ . pMSSj . [CHfTQ^ . is the provision of specification- 

building operations pHTTl for building large specifications in a structured fash- 
ion from smaller and simpler ones. Less usual are features for describing the 
modular structure of software systems under development. This paper is about 
the facilities for this that are provided in Casl, the new Common Algebraic 
Specification Language that has been developed under the auspices of 

the Common Framework Initiative |Mosh7l K loFlhSa'] in an attempt to create a 
focal point for future joint work on algebraic specifications and a platform for 
exploitation of past and present work on methodology, support tools, etc. 

Following practical experiences [F,I9()| and foundational work |Bid88| . |S'L89| . 
Esna, EM, we argue that mechanisms to structure specifications cannot 
suffice for describing the modular structure of software under development. Casl 
therefore provides a separate kind of specifications, so-called architectural speci- 
fications, for this purpose. An architectural specification consists of a list of unit 
declarations, indicating the component modules required with specifications for 
each of them, together with a unit term that describes the way in which these 
modules are to be combined. Such architectural specifications are aimed at the 
“implementation” modular structure of the system rather than at the “inter- 
action” relationships between modules in the sense of (the latter to be 

considered when specifications of “reactive” modules are introduced in a Casl 
extension). 

The aim of this paper is to present motivation, intuition and technicalities 
related to this concept. We provide some information about Casl in Sect. El dis- 
cuss the development of programs from specifications by stepwise refinement in 
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Sect. 0and then introduce architectural specifications in Sect. 01 The semantics 
and correctness issues of architectural specifications are discussed in Sects. 0 El 
and[3 The development process in the presence of architectural specifications 
is briefiy discussed in Sect. 0 

Even though we present architectural specifications in the context of Casl, 
the ideas apply in any specification and development framework, as we mention 
in Sect. El We also briefiy mention there the issue of behavioural refinement. 

2 CASL Preliminaries 

Casl is a formalism to describe Casl structures: many-sorted algebras with sub- 
sorts, partial operations and predicates. Structures are classified by signatures^ 
which give sort names (with their subsorting relation), partial/total operation 
names, and predicate names, together with profiles of operations and predicates. 
For each signature if, the class of all if-structures is denoted Mod[if]. 

The basic level of Casl includes declarations to introduce components of 
signatures and axioms to give properties of structures that are to be considered 
as models of a specification. The logic used to write the axioms is essentially 
first-order logic built over atomic formulae which include strong and existential 
equalities, definedness formulae and predicate applications. A basic Casl spec- 
ification SP amounts to a definition of a signature S and a set of axioms It 
denotes the class I5P] C Mod)!!] of its models, which are those H-structures 
that satisfy all the axioms in |5P] = {A G Mod[i7] | A j= <P}. 

Casl provides ways of building complex specifications out of simpler ones by 
means of various structuring constructs. These include translation, hiding, union, 
and both free and loose forms of extension. Generic specifications and their 
instantiations with pushout-style semantics are also provided. Structured 

specifications built using these constructs can be given a compositional semantics 
where each specification SP determines a signature Sig[SP] and a class [SP] C 
Mod[5'z5[5'P]] of models. 

2.1 Example 

Here is a sequence of definitions of Casl specifications. 

spec Num = 
sort Num 
ops 0 : Num] 

succ : Num Num 

end 

spec AddNum = Num then op plus : Num x Num Num 

vars x,y : Num 

axiom plus {x, succ (y)) = succ {plus (x,y)) 

spec OrdNum = Num then pred Num x Num 

axiom Vx : Num • 0 < succ(x) 
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spec CodeNum = 

AddNum and OrdNum 

then op code : Num — > Num 

axiom \/x : Num • 0 < code{x) 

We start with a signature for natural numbers, and then extend it in two ways: 
by a binary operation with a simple axiom and by a loosely specified binary 
predicate. In CodeNum we put both extensions together and then add a unary 
operation on Num with another simple axiom. 

spec Elem = sort Elem end 

spec PartContainer [Elem] = 

generated type Cont ::= empty \ add [Elem] Cont)l 

pred addable : Elem x Cont 

vars x,y : Elem] C : Cont 

axiom def add{x, C) addable{x, C) 

pred __ e : Elem x Cont 

axioms ^ (x G empty)] 

{x G add{y, C) x = y V x G C) if addable{y, C) 

end 

This is a generic (in Elem) specification of “partial containers” , which introduces 
a datatype Cont generated by a constant empty and a partial constructor add 
that adds an element to a container. An element x may be added to a container 
C if and only if addable{x, C) is satisfied. But addable is left unspecified at this 
stage. The usual membership predicate is provided as well. 

spec PartNumCont = 

PartContainer[CodeNum fit Elem i— > Num] 

We instantiate PartContainer to CodeNum, with an appropriate fitting of 
the parameter. The result contains all the components of CodeNum together 
with those added by PartContainer with their profiles adjusted accordingly. 

spec UniqueNumCont = 

PartNumCont 

then vars x : Num] C : Cont 

axiom addable{x, C) ^ ^ {x G C) A ^ (code{x) G C) 

Finally, we constrain the addability condition, requiring that a number is addable 
to a container if and only if neither it nor its code are already included there. 

3 Program Development and Refinement 

The intended use of Casl is to specify programs. Each Case specification should 
determine a class of programs that realize the specified requirements. It follows 
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that programs must be written in a language having a semantics which assign^ 
to each program its denotation as a Casl structure. Then each program P 
determines a signature Sig[P] and a structure |P] G Mod[5'zg[P]]. The denota- 
tion [S'P] of a specification SP is a description of its admissible realizations: a 
program P is a (correct) realization of SP if Sig[P] = Sig[SP] and |P] G [SP]. 

In an idealized view of program development, we start with an initial loose 
requirements specification SPq and refine it step by step until some easily- 
realizable specification SPiast is obtained: 



SPq SPi SPiast 



Stepwise refinement only makes sense if the above chain of refinements guaran- 
tees that any correct realization of SPiast is also a correct realization of SPq: for 
any P, if |P] G I^Pjast] then |P] G I^Pq]- This is ensured by the definition of 
refinement: for any SP and SP' with the same signature, we define 

SP'^ SP' ^ IS'P'l C is-p]. 

The construction of a program to realize SPiast is outside the scope of Casl. 
Furthermore, there is no construct in Casl to explicitly express refinement be- 
tween specifications. All this is a part of the meta-level, though firmly based on 
the formal semantics of Casl specifications. 

A more satisfactory model of refinement allows for modular decomposition 
of a given development task into several tasks by refining a specification to a 
sequence of specifications, each to be further refined independently. (Of course, 
a development may branch more than once, giving a tree structure.) 



( SPi SPiJast 

SP'-^ BR I : 

i SPn SPnJast 

Once we have realizations Pi, . . . , P„ of the specifications SPijast, ■ ■ ■ , SPn, last, 
we should be able to put them together with no extra effort to obtain a realiza- 
tion of SP. So for each such branching point we need an operation to combine 
arbitrary realizations of SPi, . . . , SPn into a realization of SP. This may be 
thought of as a linking procedure LINK br attached to the branching point BR, 
where for any Pi , . . . , Pn realizing SPi , . . . , SPn, LINK br{Pi, ■ ■ ■ , Pn) realizes 
SP: if |Pil G [5Pi], . . . , IP„] G [5P„] then \LINKbr{Pi,. . . , P„)] G {SPj. 

The nature of LINK br depends on the nature of the programs considered. 
Our preferred view is that the programming language in use has reasonably 
powerful and flexible modularization facilities, such as those in Standard ML 
or Ada. Then Pi,...,P„ are program modules (structures in Standard ML, 
packages in Ada) and LINK br is a module expression (or a generic module on 
its own) with formal parameters for which the actual modules Pi , . . . , P„ may be 

^ This may be rather indirect, and in general involves a non-trivial abstraction step. 
It has not yet been attempted for any real programming language. 
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substituted. Note that if we later replace a module Pi by another realization P/ 
of SPi, “recompilation” of LINK br{Pi, ■ ■ ■ , Pi, ■ ■ ■ , Pn) might be required but 
in no case will it be necessary to modify the other modules. 

One might expect that BR above is just a specification-huilding operation 
OP (or a specification construct expressible in Casl), and branching could be 
viewed as “ordinary” refinement SP OP{SP\, . . . , SPn)- Further refinement 
of OP{SPi, . . . , SPn) might then consist of separate refinements for SPi, . . . , SPn 
as above. Then we need at least that OP is “monotonic” w.r.t. inclusion of model 
classes 0 This view is indeed possible provided that the specification-building op- 
eration OP is constructive: for any realizations Pi, . . . , of SPi, . . . , SPn, we 
must be able to construct a realizationLPVPop(Pi,. . . ,P„) of OP{SPi,. . . ,SPn)- 
However, simple examples show that some standard specification-building oper- 
ations (like the union of specifications) do not have this property. (See irnwi 
for a different approach to this problem.) 

Another problem with the refinement step SP OP{SPi, . . . , SPn) is that 
it does not explicitly indicate that subsequent refinement is to proceed by in- 
dependently refining each of SPi, . . . , SPn, so preserving the structure imposed 
by the operation OP. The structure of the specification OP{SP\, . . . ,SPn) in 
no way prescribes the structure of the final program. And this is necessarily 
so: while preserving this structure in the subsequent development is convenient 
when it is natural to do so, refinements that break this structure must also be 
allowed. Otherwise, at very early stages of the development process we would 
have to fix the final structure of the resulting program: any decision about struc- 
turing a specification would amount to a decision about the structure of the final 
program. This is hardly practical, as the aims of structuring specifications in the 
early development phases (and at the requirements engineering phase) are quite 
distinct from those of structuring final programs. Simple examples are mentioned 
below, cf. IF, 1901 . 

On the other hand, at certain stages of program development we need to 
fix the structure of the system under development: the design of the architec- 
ture of the system is often among the most important design decisions in the 
development process. In Casl, this is the role of architectural specifications, see 
Sect. 0 



3.1 Example 

Consider the task of realizing UniqueNumCont from Sect. 12.1 1 Its structure 
does not provide useful guidance to the structure of its realization. For instance, 
the last extension of PartNumCont by an axiom for addable cannot be a 
directive to first realize PartNumCont and then somehow miraculously ensure 

^ The specification-building operations we use here, hence all derived specification con- 
structs, are monotonic, as are most of the constructs of Casl and other specification 
languages. The few exceptions — like imposing the requirement of freeness — can 
be viewed as operations which add “constraints” to specifications rather than as 
fully-fledged specification-building operations. 
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that the predicate addable does indeed satisfy the axiom. One might change this 
specification, so that a realization of PartNumCont would be required for any 
choice of addable — but this would be quite a different specification with quite 
a different structure. Moreover, it would not enable the implementor to take 
advantage of the fact that the axiom for addable ensures that an element need 
never be added to a container more than once. 

We might re-structure the above specification instead by introducing some 
new “constructive” compositions or exposing some existing ones. For instance: 

spec UniqueContainer [CodeNum] = 

PartContainer[CodeNum fit Elem Num] 
then vars x : Num; C : Cont 

axiom addable{x, C) ^ ^ {x £ C) A ^ (code{x) G C) 

spec UniqueNumCont’ = UniqueContainer[CodeNum] 

Then we have that UniqueNumCont UniqueNumCont’ (in fact, the two 
specifications are equivalent) and the instantiation in the latter specification 
is “constructive”, which indicates a possible split of further development to a 
part where a realization of CodeNum is developed and another part where 
UniqueContainer is implemented. See Sect. 14. ll below for details. 

4 Architectural Specifications 

The conclusion from Sect. 0 is that there are two different kinds of structuring 
mechanisms needed in the specification and development process. 

On one hand we need the standard mechanisms to structure specifications 
to facilitate their construction, reading, understanding and re-use. These are 
provided by the specification-building operations of Cast, disregarding whether 
these operations are “constructive” or not. On the other hand, at a certain stage 
of program development we need to design the structure of the final program, 
and consider these decisions binding in the subsequent development process. 
Such a design is given by refining a specification to a “constructive” combi- 
nation of specified components. The essence here is not so much the use of a 
constructive specification-building operation, as rather some specific construc- 
tion (linking procedure) that builds a realization of the original specification 
once given realizations of the component specifications. 

The latter structuring facility, although quite standard in modular program- 
ming languages, is rarely explicitly provided in specification formalisms. In many 
approaches, the structure of the specification is regarded as determining the 
structure of the final program, examples like those in Sect. notwithstand- 
ing, see e.g. ^laEsnii. Or else ad hoe informal mechanisms are used to 
indicate that a certain part of the structure of a specification (given by a con- 
structive specification-building operation) is to remain fixed throughout the rest 
of the development. We consider this unsatisfactory and likely to be confusing. 
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Therefore Casl provides an explicit notation whereby one specifies the com- 
ponents required together with a way to combine them to build the resulting 
program. Such architectural specifications can be used to refine ordinary spec- 
ifications, whether structured or not, explicitly introducing branching into the 
development process and structure into the final program: 




The corresponding architectural specification is written as follows: 
units Ui : SP 

Un : SPn 

result LINKBR{Ui,...,Un) 

Notice that we provide names for program units to be implemented according to 
the component specifications given, and we give a “linking procedure” LINK br 
to combine these units rather than an operation to combine their specifications. 
The component specifications SPi, . . . , SPn are ordinary Casl specifications. 
The “linking procedure” LINK br{Ui, ...,Un) is just a unit term that might 
involve the units named {7i,...,C/„. It builds a new unit when given actual 
units Ui, . . . ,Un correctly realizing the specifications SP\, . . . , SPn- Typically 
SPi, . . . , SPn (and so, units that realize them) will contain shared parts, or 
some of them will rely on others. For instance, we might start by implementing 
some simple specification SPi- Then, given an implementation U\ of SP\, build 
an implementation U 2 of some “larger” specification SP 2 using [7i, etc. The last 
stage is to build an implementation Un of SPn using Un-i, and the final result 
is Un- The corresponding architectural specification is: 

units Ui ■- SPi; 

U2 ■ SP2 given Ui] 

Un ■■ SPn given Un-l 
result Un 

Of course, this is just the simplest case. In particular, it does not cover multiple 
dependencies (where a unit might use several other units) , sharing between vari- 
ous units in a more flexible way than just having each unit use the previous one, 
or reusability (whereby a unit may be used more than once). Still, it illustrates 
the idea of splitting a development task into subtasks, clearly indicating their 
interfaces and the flow of information between them. In the extreme, such a split 
may be done step by step, each time splitting the work into just two parts: 





units 


Ui ■- SPi- 


SP'^ 




U2 : SP given Ui 




result 


U2 
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The task of providing a realization Ui for SPi is independent from the task of 
providing a realization U 2 for SP using U\. It follows that no properties of U\ 
may be exploited in the development of U 2 other than those explicitly ensured 
by the specification SP\. This requires a realization of SP for any realization 
of SP\, which is tantamount to requiring a generic realization F of SP which 
takes the particular realization of SP\ as parameter. Then we obtain U 2 by 
simply feeding U\ to F. 

Genericity here arises from the independence of the developments oiU\ and 
U 21 rather than from the desire to build multiple realizations of SP using different 
realizations of SP\. This is reflected in the fact that F is not named in the 
architectural specification above. If it is desired to indicate the potential for re- 
use explicitly, we may give F “first-class” status as a so-called generic unit with 
a specification SPl—^SP which indicates that it will realize SP when given a 
realization of SPi: 

units : SP 

F -.SPi SP- 
U 2 = F[Ui] 

result U 2 

Here, U 2 = F[17^] is a so-called unit definition. 

The earlier specification is equivalent to this version except that F is anony- 
mous there. This shows how to explain architectural specifications involving 
“given” by translation to architectural specifications involving generic units. A 
key insight is the use of genericity to control the flow of information between 
developments of independent units, as well as for multiple instantiation. Despite 
this, it seems useful to retain both notations as they convey different pragmatic 
intuitions. 

Generic unit specifications correspond to functor headings in Extended ML 
and to a restricted form of TT-specifications in , cf. Spectral iKHnii. 

Generic unit specifications and generic specifications coincide in AGT ONE 
|EM85j . which the above discussion argues is inappropriate. 

4.1 Example 

Recall the specifications built in Sect. l'Z. ll a.nd the further comments on them in 
Sect. 13.11 We ended up there with a specification 

spec UniqueNumCont’ = UniqueContainer[CodeNum] 

which indicates a way of decomposing the task of implementing UniqueNum- 
Cont. This may be turned into a design decision by refining this specification 
to an architectural specification that captures the decomposition meant here: 

arch spec UCNuM = 
units N : CodeNum; 

UCN : UniqueNumCont’ given N 
result UCN 



Then UniqueNumCont-^ UCNum. 
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We might, however, be a bit more clever in our design and require a re- 
alization of containers with the specified “uniqueness” property for arbitrary 
elements equipped with the operations that allow one to express this property. 
For instanceO 

spec TransElem = 
sort Elem 

op transform : Elem Elem 

end 

spec AbstractUniqueCont = 

PartContainer[TransElem] 
then vars x : Elem; C : Cont 

axiom addable{x, C) -< (x S C) A ^ {transform(x) S C) 

arch spec AbstractUCNum = 
units N : CodeNum; 

AUC : TransElem ^ AbstractUniqueCont 
result AUC[N fit Elem I— > Num, transform i— > code] 

We still have UniqueNumCont AbstractUCNum. 

The required generic unit AUC here is more abstract and more general than 
the “anonymous” unit to build UCN as required in UCNuM. AUC has to work 
for arbitrary structures fitting the abstract TransElem specification; it could 
be re-used in the future for arguments other than N . 



5 Semantics of Unit Specifications 

Consider a unit specification of the form SP'^SP. In Casl, SP is implicitly 
viewed as an extension of SP'. We therefore assume that in each specifica- 
tion of the form SP'^SP, SP extends SP' , that is: Sig[SP'] C Sig[SP] and 
[5P]|5.s[sp'] C [5P']. 

To realize the specification SP'^SP, we should provide a “program frag- 
ment” AP for SP \ SP' that extends any realization P' of SP' to a realization 
AP(P') of SP. For all programs P' such that |P'] S AP(P') must be a 

program that extends P' and realizes SP. Hence, semantically AP determines 
a function |AP]: fSP'J — > [SP] that “preserves” its argument. Consequently: 

= {F-. [5P'l ^ ISPj I for all A' e [5P'], F(A') |5«usp'] = ^'1 

This view of program fragments as functions naturally leads to further gen- 
eralisations. The most obvious one is to admit multi-argument functions, pro- 
viding for the possibility that the realization of some specification might depend 

® The reader is kindly asked to rely on her/his intuition and the obvious analogy with 
the instantiation of generic specifications to grasp the meaning of instantiation of 
generic units with non-trivial fitting of arguments. 
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on realizations of more than one (sub-)specification. Specifications of multiply- 
dependent units will have the form SPi x ... x SPn^SP. As with singly- 
dependent units, we assume that SP extends each of SP\, . . . , SPn (or equiva- 
lently, their union). We then have: 

ISPi X ... X = {F: |5Pi x . . . x SP^j ^ {SP'j \ 

for all {Ai, . . .,An) G IS'Pi x . . . x SPnj, 
F{Ai,. . . ,^„)|s*s[SPd = Ai, for i = 1, . . . ,n} 

We have not yet defined |5'Pi x . . . x S'Pn]. In general, not all tuples {A \, . . . , A„) 
of structures Ai G |5Pi], . . . , G |5P„] can be extended to structures in Ib'P]: 
if a symbol in SP is inherited from one or more of SPi , . . . , SPn, then its inter- 
pretation in the resulting structure must be the same as in each corresponding 
argument structure. So, if such a symbol occurs in several arguments then it is 
impossible to expand a tuple of arguments to a result unless all of the relevant 
arguments interpret this symbol in the same way. 

A tuple (Ai,...,An) of structures Ai G Mod[A'i], . . . , G Mod[A'„] is 
compatible if any symbol that occurs in both Si and Sj is interpreted in the 
same way in Ai and Aj, for 1 < i, j < n. Then we take Mod[i7i x . . . x i7„] to 
be the class of all compatible tuples of structures from Mod)!!!], . . . , Mod[A'„], 
respectively, and define: 



|5Pi X . . . X SPnj = 

{(Ai, . . . , An) G Mod[A'i X ... X Sn\ I A\ G [b'P i], . . . , A„ G {SP „]} 

6 Sharing and Well-Formedness 

The definitions at the end of the previous section convey important method- 
ological concepts. Namely, we now have a way to require that a number of units 
(fed to a unit dependent on them) share some of their parts. Even though they 
might be developed independently, certain parts of the argument units must be 
identical. In Casl, this requirement is imposed by the use of the same names in 
argument signatures for symbols which are to be shared between the argument 
units. An application of a generic unit to a tuple of arguments is well- formed 
only if the arguments share their commonly-named parts. In a programming lan- 
guage like Standard ML, this is a part of the “type discipline” and the required 
sharing is (type-) checked statically. 

Consider the following simple example: 

spec SPo = sort s end 
spec SPa = sort s op a : s end 
spec SPb = sort s op a,b : s end 
spec SPc = sort s op a, c : s end 

spec SPd = sort s op a, b, c, d : s axiom d = b V d = c end 
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Then the generic unit specification SPb x SPc — > SPd imposes a constraint on the 
arguments for the generic unit: they are required to share a common realization 
of the sort s and constant a. Consequently, given the following unit declarations: 

units Ub : SPb] 

Uc : SPc] 

Fd : SPb X SPc ^ SPd 

the instantiation Fd[Ub, Uc] cannot be allowed, since we have no way to ensure 
that the units Ub and Uc do indeed share s and a. On the other hand, consider 
the following unit declarations: 

units Ua'. S Pa] 

Fb : SPa ^ SPb] 

Fc : SPa SPc] 

Fd : SPb X SPc ^ SPd 

The unit term Fd[Fb[Ua], Fc[Ua]] is well- formed in the context of these declara- 
tions. The required sharing between the two arguments for Fd, namely between 
Fb[Ua] and Fc[Ua], is ensured. In both Fb[Ua] and Fc[Ua] the sort s and constant 
a come from Ua, and so must be the same. 

The situation becomes a bit less clear if components of instantiations of 
generic units are involved. For instance, consider: 

units Uq : SP o] 

Fa-.SPo ^ SPa 

and declarations of Fb, Fc, Fd as above. Is Fd[Fb[Fa[Uo]], Fc[Fa[Co]]] well-formed? 
One might expect so: the sort s in the two arguments for Fd can be traced to 
Uo, and the constant a to the two occurrences of Fa[Uo]. But the argument that 
the two occurrences of Fa[Uo] share the constant a cannot be carried too far. In 
general, to decide if two instantiations of Fa, say Fa[Uo] and FalUg], share the 
constant a, we would have to check if the two argument units C/q and C/g are 
identical. Clearly, this is too complicated for static analysis, even if in trivial cases 
it can be seen to hold immediately, as above. Moreover, in some programming 
languages (Standard ML, Ada) the new items introduced by instantiation of 
generic modules are distinct for each such instantiation. 

Therefore, for safety, we assume that new symbols introduced by a generic 
unit are not shared between its instantiations, even when its arguments are the 
same in each case. (For programming languages with “applicative” rather than 
“generative” modules, this treatment is sound albeit marginally more awkward 
than necessary.) Auxiliary unit definitions may be used in Casl to avoid repe- 
tition of unit instantiation. For instance, we can rewrite the previous example: 

units Uo : SPg] 

Fa-.SPo ^ SPa] 

K = Fa[Uo]] 

Fb-.SPa ^ SPb] 
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Fc : SPa SPc; 

Fd : SPb X SPc ^ SPd 

In this context, Fd[Fb[U^], Fc[U'g]] is well-formed and captures the intention be- 
hind Fd[Fb[Fa[Uo]], F,[Fa[Uo]] ]. 

To sum up: in the context of a sequence of unit declarations and definitions, 
symbols in two units share if they can be traced to a common symbol in a 
non-generic unit. The “tracing procedure” can be broken down according to the 
constructs available for forming unit terms. For applications of generic units to 
arguments, symbols in the result are new if they do not occur in the argument 
signatures. Otherwise they can be traced to the same symbols in the arguments 
(and, transitively, to the symbols those can be traced to). The symbols of a 
declared unit can be traced only to themselves. The symbols of a defined unit 
may be traced according to the definitional term for the unit. 

7 Semantics of Unit Terms 

An architectural specification comprises a sequence of unit declarations and def- 
initions followed by a unit term which shows how the named units can be put 
together to build the result. Obviously, it is not possible to put together units 
in completely arbitrary ways; they must fit together properly, as in modular 
programming languages. Then given an environment which maps the declared 
unit names to particular (possibly generic) structures, the result term denotes a 
structure. 

The static analysis of unit terms, with sharing analysis etc., is just the begin- 
ning of checking their correctness. The most crucial step is to check that when a 
unit (or tuple of units) is fed to a generic unit then the interfaces match, making 
sure that the requirements imposed on the parameter(s) of the generic unit by 
its specification are fulfilled by the argument (tuple) . To take a simple example: 

units U : SP; 

F : SP' SP” 

Can we now feed the unit U to the generic unit F7 Or in other words: is the 
unit term F[U] correct! In order for it to be well-formed, the signatures of U 
and of the argument of F must coincide: Sig[SP] = Sig[SP']. And if F were 
multiply-dependent with symbols in common between different arguments, then 
sharing would also have to be checked. But also, F is required to work only for 
arguments that realize SP' , including the requirements imposed by any axioms 
SP' may contain. So, for F[U] to be correct, we must make sure that what we 
know about U is sufficient to establish what is required of the argument for F. 
Clearly, everything we know about U is recorded in SP — no other information is 
available. Even later on, when the unit U has been developed, the whole point of 
its declaration here — which decomposes the development task into developing 
U and F separately — is to limit the knowledge about U at this level to what 
is provided by SP. So, what we know about the unit U is that it denotes a 
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structure in [SP]. The argument of F is required to denote a structure in 
Consequently, the term F[U] is correct provided {SP} C IS'P']. 

We have used different words to describe different aspects of “good” unit 
terms. Well-formedness is a static property, expected to be decidable so that 
it can be checked automatically. To check whether a unit term is well-formed 
we need information about the signatures of the units available as well as shar- 
ing information about them. In such a context, well-formedness of a term is 
determined as sketched in Sect.|^ Correctness requires verification: it is not de- 
cidable in general. To check whether a unit term is correct we need full semantic 
information about the available units, as explained below. 

The last example was perhaps misleadingly simple: the argument U oi F 
came equipped with an explicit specification that provided all the information 
that was available about U . In general, the argument may be more complex 
than this, and still we have to be able to gather all the information about it 
that is available. So, for instance, what do we know about F\JJ], assuming that 
Sig[SP] = Sig[SP'] and [SP] C IS'P']? Clearly, we know that the result realizes 
SP" . Is this all? Not quite: we also know that U, and hence the reduct of F[U] 
to Sig[SP], realizes SP, which may carry more information than SP' does. 

Given an environment p which maps unit names to particular (possibly 
generic) structures, a unit term T denotes a structure |T]p, defined inductively 
as follows: 

— If T is a unit name U then |T]p = p{U). 

— If r is an instantiation F\Ti, ^ T„] where F is an n-ary generic unit and 
Ti, . . . ,T„ are unit terms, then [F[Ti , . . . ,r„]lp = p(T’)(|Ti]p, . . . , |T„]p). 

Some unit terms will not denote. A trivial reason for this might be the application 
of a generic unit to the wrong number of arguments, or to arguments with wrong 
signatures, or the use of an unbound unit name. Less trivially, there might be an 
attempt to apply a generic unit to a non-compatible tuple of structures. These 
cannot happen if the term is well-formed in the sense discussed above. Finally, 
a term will not denote if it involves application of a generic unit to a structure 
outside its domain; this cannot happen if the term is correct. 

Correctness is defined in a context 7 where unit names are associated with 
specifications. We say that an environment p matches a context 7 if they bind 
the same unit names and for each unit name U in their domain, the structure 
p{U) realizes the specification 7(C): p{U) G |7(C?)10For any unit term T that 
is well- formed in the context 7, we write [T].y for the class of all structures |T]p 
that T denotes in environments p that match 7. Intuitively, \T]-^ captures the 
properties of the unit built by T using unit declarations and definitions that 
determine 7. 

Correctness of a well-formed unit term is defined inductively as follows: 

— A unit name U is correct. (By well-formedness, U is declared in 7.) It follows 
that [U]^ = |7(C/)]. 



4 



Moreover, the units in p share the components indicated by the sharing information 
in 7. 
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— An instantiation F[Ti, . . . , T„] is correct, where 7(-F) is SPi x . . . x SPn^SP, 
if Ti,..., Tn are so and [Ti]^ C IS'Pi], . . . , \Tn]^ C IS'Pn]. It follows that 
, Tn]]^ = {AG IS'P] I G [TiJ-y, . . . , A|5ig[5p^] G [Tn]^}- 

This omits the use of defined units in unit terms, treated in the obvious way with 
information about these units extracted from their definitional terms and stored 
in the context as well. Some further constructs for unit terms (amalgamation, 
reduct/renaming, pushout-style instantiation using a fitting morphism, local unit 
definitions, A-notation for generic units) are available in Casl, but these are not 
discussed here for lack of space. 

The above statements defining the correctness of unit terms also provide a 
more direct way to compute \T]^, without referring to the class of all environ- 
ments that match 7. This can be proved by induction on the structure of unit 
terms, and can be used to directly calculate the ensured properties of T, and to 
validate its correctness. 

Theorem 1 . Let j be a eontext and let T be a unit term that is well-formed 
and eorreet in 7. Then for any environment p that matehes 7, |T]p is defined 
(and [T]p G [T]-,). 

This means that once we have finished the development process and so have pro- 
vided realizations of each of the units declared, a correct result term will success- 
fully combine these realizations to give a structure which satisfies the properties 
we can calculate directly from the architectural specification. Correctness of the 
result term of an architectural specification can be checked before realizations 
of its component units are provided. No a posteriori checking is necessary! 



8 Refinements of Architectural Specifications 

Section 2 ]indicated how a specification may be refined to an architectural specifi- 
cation. Architectural specifications themselves can in turn be refined by refining 
each of the specifications for its declared units separately. One remaining issue 
is to define refinements between specifications of generic units: 

SPi^SP2 SP[^SP'2 

To begin with, we need the signatures to agree, that is: Sig[SPi] = Sig[SP[] 
and Sig[SP2] = SiglSPfl- Furthermore, we need that every generic unit that 
realizes SP'i^SP'2 must correctly realize SPi^SP2, but allowing for restrictions 
of mappings between structures to smaller domains. This amounts to requiring 
{SPiJ C {SP'il and ISP'2 and SPi] C I5P2]- Notice that the latter condition is 
slightly weaker than the most obvious IS'Py C |5'P2l — we can take advantage 
of the fact that we are expected to apply the unit to arguments that realize SPi. 

This allows for linear development of individual units declared in an architec- 
tural specification. To allow further decomposition here, we can refine unit spec- 
ifications to architectural specifications. For closed units this is covered above. 
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Specifications of generic units may be refined to architectural specifications with 
generic result units. 

The overall effect is that we have a development tree, rather than just a 
sequence of refinement steps. This was indeed the target from the very begin- 
ning. Each leaf of such a tree may be developed independently from the others, 
using the full machinery of further decomposition via architectural design etc. 
The development subtree beginning at any given node may be replaced by an- 
other development tree without affecting the other parts as long as the new 
development subtree is correct with respect to the specification at its root. 

9 Further Comments 

We have discussed the issue of designing the structure of a system to be developed 
from a specification. Our conclusion has been that apart from the usual mecha- 
nisms for structuring requirements specifications, we need a separate mechanism 
to describe the modular structure of the system to be developed. Casl provides 
this in the form of architectural specifications. We presented the basic ideas be- 
hind this concept. The semantics of architectural specifications has been sketched 
as well, but see |( ;oKlDiScj for all the details. This was sufficient to state a few ba- 
sic facts about the semantics, as well as to argue that properties of architectural 
specifications ensure that the basic goals of their design have been achieved. 
Namely, architectural specifications make it possible to describe the structure 
of the system to be developed by listing the units to be built, providing their 
specifications and indicating the way they are to be combined. Once such an ar- 
chitectural specification is given then its internal correctness can be checked and 
the ensured properties of the resulting module can be calculated (to check if the 
original requirements specification has been fulfilled by this design). Moreover, 
further developments of the units required may proceed independently from each 
other, which brings in all the benefits of modular development. 

The above ideas have been presented in the specific context of Casl. How- 
ever, both the overall idea and the constructs for architectural specifications are 
largely independent from the details of the underlying Casl logical system. In 
fact, everything here can be presented in the context of an arbitrary institution 
01221 equipped with some extra structure — see |Mos98| for details. 

One issue which we have omitted above is that of behavioural implementation 
fSch87l IN()S9,5L liTT^ IHH9Y| . The idea is that when realizing a specifi- 

cation it is sufficient to provide a structure that is behaviourally equivalent to 
a model. Intuitively, two structures are behaviourally equivalent if they cannot 
be distinguished by computations involving only the predicates and operations 
they provide. 

When using a structure that was built to realize a specification up to be- 
havioural equivalence, it is very convenient to pretend that it actually is a true 
model of the specification. This is sound provided all the available construc- 
tions on structures (hence all the generic units that can be developed) map 
behaviourally equivalent arguments to behaviourally equivalent results. More 
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precisely: a generic unit is stable if for any behaviourally equivalent arguments 
provided for it via a fitting morphism, the overall results of instantiations of this 
unit on them are behaviourally equivalent as well. If all units are stable, it is 
sufficient to check local behavioural correctness of unit terms only: this is defined 
like correctness in Sect. Q but allows the arguments for generic units to fit their 
formal requirement specifications only up to behavioural equivalence. Then the 
ensured properties \T]^ of any well- formed and locally behaviourally correct unit 
term T in a context 7 can still be calculated exactly as in Sect. | 7 ] as justified by 
the following theorem: 

Theorem 2. Let j be a context and let T be a unit term that is well-formed 
and locally behaviourally correct in 7. Then for any environment p that matches 
7 up to behavioural equivalence, |T]p is in \T]-f up to behavioural equivalence. 
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Abstract. We show the coincidence of non-ground vr-calculus and 
calculus, a CCS-like calculus that allows processes to be explicitly rep- 
resented as temporary functions of input parameters, and as permanent 
functions of their free names. 

As intermediate results, strong and weak 7r-calculus full congruences are 
characterized as finitary closures of the corresponding 7r-bisimilarities. 
In this paper we consider only late 7r-calculus, but all of the characteri- 
zations can be easily adapted to deal with non-ground semantics of the 
early family. 



0 Introduction 

The TT-calculus is a well-known process algebra that allows the description of mo- 
bile systems The calculus, that has been shown to have great flexibil- 

ity and expressive power, exploits a name-passing interaction paradigm. Names, 
synonyms of channels, can be sent around and received, possibly changing the 
local/global acquaintances of the inputting process. 

By this, name substitution has a fundamental role in the operational seman- 
tics of the calculus. Substitutions are most important also at the bisimulation 
level. This is essentially due to the fact that they can increase process move ca- 
pabilities. For instance, unless the notion of name instantiation is moved inside 
the bisimulation definition itself (like, e.g., in the open semantics jSa.nflflp . bisim- 
ulation fails to be a congruence w.r.t. input prefix. The canonical example to see 
this is in terms of the interleaving interpretation of parallel composition. Taking 
xz and x{u) to denote, respectively, an output and an input action at channel 
X, such interpretation equates the processes {x \ y) and (x.y + y.x) (unnecessary 
syntactic details are omitted) . Each of the - either strong or r-forgetting - late 
or early bisimulation semantics, here generically denoted by x, is such that 

X \ y i x.y + y.x 
x{y)\x\y) f. x(y).(x.y -b y.x) 

The reason for the above inequivalence is that, whenever the leading input action 
x{y) causes y to be instantiated by x, the left-hand process x(y).(x | y) can 
perform a r-move that the right-hand process is not able to match. The usual 
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way to extract the full congruence x from the ground relation x passes through 
a closure over name substitutions, so that classical definitions read as follows: 

P X Q iff Pa X Qa for all substitutions a 

Full congruences, also called non-ground relations, are pragmatically much more 
appealing than their ground duals, although the universal quantification over 
substitutions makes prohibitive to verify them. 

The main concern of this paper is to present finitary characterizations of late, 
either strong or weak, 7r-calculus full congruences. The investigation is carried on 
in both the 7r-calculus itself and the 7r^-calculus, a generalization of the process 
algebras presented in Ik'MUOblFMUOSI . 

As for the 7r-calculus we show that, by adequately quotienting name sub- 
stitutions, P X Q can be expressed in terms of a finite number of bisimilarity 
checks Pa x Qa. 

Turning to the 7r^-calculus, we characterize late 7r-congruences as correspond- 
ing CCS-like equivalences of one suitable single pair of 7r^-processes. 

The coincidence between 7r-calculus and 7r^-calculus makes it possible to 
easily export to the 7r-calculus some well-know results about the automated 
verification and the mathematical theory (logical, axiomatic, and denotational) 
of CCS equivalences (see, e.g., [(;PS93LlHCT^IAkiV94[IAbr91| l. 

The TT-calculus meta-syntactic operation of substitution is explicitly handled 
in the 7r^-calculus. The main operational idea underpinning the calculus is to 
avoid to directly apply name substitutions to 7r-processes, and let a distinct 
explicit component ^ to serve the same purpose. Such a component acts as some 
kind of environment and represents associations among names. The generic tt^- 
process looks like ^ P, where P is an agent obtained by the usual 7r-calculus 
syntax added with abstraction prefixes ‘Xy.’. These prefixes are used to associate 
a concrete operational counterpart to the actualization of formal parameters. 
The idea is to interpret each input action x{y) as a non atomic event. First 
a commitment at x takes place, coercing the inputting process to temporarily 
become a function of y. The subsequent move actualizes the name y, and the 
functional dependency on it is definitely dropped away. 

An analogous approach was used in |FMQ961FM(^ to characterize ground 
TT-calculus semantics in terms of CCS-like bisimilarities. However, the proposed 
calculi were not general enough to capture the flavour of non-groundness, and 
the challenging issue of characterizing full congruences was left open. 

Here we fill that gap by stressing the correspondence between 7r-calculus name 
substitutions and Tr^-calculus environments, and by emphasizing the significance 
of abstraction prefixes. We interpret 7r-calculus processes as actual, permanent, 
functions of their free names, and show that suitable A-closures of P and Q 
induce, in an effective way, the generation of those environments that correspond 
to the finite set of substitutions sufficient to infer P x Q from the ground 
bisimilarity of Pa and Qa. After this we prove the coincidence of non-ground 
TT-calculus and TT^-calculus. Axiomatic characterizations of finite processes are 
provided, too. 
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In this paper we only deal with late 7r-calculus, however, by minor changes, 
all of the characterizations stated for late congruences do hold of non-ground 
semantics of the early family |Cjua . We only present the finite fragment of the 
TT^-calculus. Nevertheless the coincidence with 7r-calculus non-ground semantics 
does extend to the full language. 

A final remark is about the fact that the peculiar interpretation of input ac- 
tions and abstraction prefixes ensures that, but for the unguarded behaviour of 
the replication operator, 7r^-processes can be always modelled by finitely branch- 
ing structures, which is generally not the case for data-dependent agents. So, our 
results could be particularly useful in the perspective of verifying mobile systems. 

The rest of the paper is organized as follows. In Section ^ we prove that 
each TT-calculus non-ground late semantics can be expressed as the conjunc- 
tion of a finite number of corresponding ground bisimilarities. In Section Q we 
present the 7r^-calculus, a simplified and generalized version of the calculi in 
FMQ96l|FMQ^ . Then we characterize late 7r-congruences as standard strong 
and weak bisimilarities of one single suitable pair of tt ^- processes. An equational 
characterization of late 7r-calculus non-groundness is also provided. Section 0 
contains some concluding remarks. 

Due to space constraints, proofs are omitted or briefly sketched. For a full 
account on them the reader is referred to |Qua 

1 Finitary Reformulation of 7r-Congruences 

This section is devoted to show that any late 7r-calculus congruence x can be 
expressed by closing its corresponding ground relation x over a finite - vs. infinite 
- set of carefully chosen substitutions a. Although our investigation is referred to 
semantics of the late family, exactly the same results do hold for early relations 
|Qua96| . 

Familiarity with the 7r-calculus is assumed. We only recall a few main issues 
about its semantics. Letting Af be a denumerably infinite set of names (ranged 
over by x, y, z, . . . ), the syntax of 7r-calculus processes (ranged over by P, Q, 

. . .) is defined by the following grammar: 

P ::= nil | x{y).P | xy.P | t.P | P -|- P | P | P | [a; = y]P | {y)P | !P 

In x{y).P and in {y)P the displayed occurrences of y are bindings with scope 
P. Free and bound names of a process P (of an action a) are denoted by 
fn(P) (fn(a)), and by bn(P) (bn(a)) respectively. The symbol “=’ denotes a- 
conversion. 

Name substitutions (ranged over by <J, a' , . . .) are functions from Af to JV 
defined almost everywhere as the identity. Sometimes, when the substitution 
(7 differs from the identity for the names in {a;i, . . . ,a;„}, a is simply written 
{xicr/xi, . . . ,XnCr/xn}- The set {xi, . . . ,x„} is then referred to as domain of cr. 

Definition 1 (late 7r-calculus semantics) 

Assuming to be the 7r-calculus operational transition relation, let be the 
reflexive and transitive closure of — and be , and be 
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if a = r, otherwise. A binary symmetric relation S over 7 r-calculus processes 
is a 

- late strong ground bisimulation if P S Q implies that: (i) if P — > P' with 
a yf x{y) and bn(a) ^ fn(P, Q), then for some Q Q' P' S Q'; 

(a) if P P' with y ^ fn(P, Q), then for some Q', Q Q' and, for all 
w, P'{w/y} S Q'{w/y}\ 

- late weak ground bisimulation if P S Q implies that: (i) if P — > P' with 
a yf x{y) and bn(a) ^ fn(P, Q), then for some Q', Q Q' and P' S Q'; 

(ii) if P P' with y ^ fn(P, Q)) then for some Q', Q Q' and, for 

all w, P'{w/y} S Q'{w/y}. 

P and Q are: (i) late strong ground bisimilar, written P Q,if P S Q for some 
strong late ground bisimulation S; (ii) late strong bisimilar, written P Q, 
if Pa Qa for all substitutions a; (Hi) late weak ground bisimilar, written 
P Q, if P S Q for some late weak ground bisimulation S; (iv) late weak 
bisimilar, written P Q, if Pa Qa for all substitutions a; (v) late weak 
ground equal, written P Q, iff P Q and whenever P — ^ P' then for some 

Q' , Q Q' with P' Q) and symmetrically; (vi) late weak equal, written 

P Q, if Pa At Qa for all substitutions a. □ 

The universal quantification over substitutions in the definition of non-ground 
bisimilarities gives raise to a heavy requirement to check in practice. Never- 
theless, not all of the infinite name substitutions are either always or equally 
relevant to infer process equivalence. For instance, given an arbitrary process P 
and any name x ^ fn(P), for all w it holds that P{w/x} = P. Hence, a first sim- 
ple improvement in deciding whether or not P is congruent to Q is to consider 
only those substitutions whose domains are given by fn(P, Q)- To set further 
improvements it is crucial to examine how the application of name substitutions 
can change process move potentials. At least in the absence of a mismatching 
operator, substitutions do not decrease those potentials. However they might 
increase performance capabilities. 

For instance, assuming x ^ y, let i?i = (x | y) and ax = {x/x,x/y}. The 
parallel components of R\ax may be involved in a communication which is for- 
bidden to the subprocesses of i?i. A r-move is equally possible for Riay when 
= {y/^j y/y}i ^ind, more generally, a communication occurs between the sub- 
processes xaz and yaz of R\az for any CTz = {z/x, z/y}. Now suppose to want to 
check the congruence of R\ and i?2, with R2 such that fn(i?2) = fn(i?i) = {x, y}. 
Comparable action capabilities are expected for Riax and Riay. This suggests 
that the bisimilarity of Riax and R2ax might be related to that of Riay and 
i?20’y in a very precise sense. Our investigation leads to the proof of the following 
claim. 

Claim 2 Whenever fn(i?i,i?2) = {x,y} and u ^ w, the late congruence Ri x 
i?2 can be simply characterized as conjunction of the two following ground rela- 
tions: 

Ri{u/x,u/y} :k R2{u/x,u/y} Ri{u/x,w/y} :k R2{u/x,w/y} □ 
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The comparability of the move potentials of the above processes RicTx and R\ay 
depends on the fact that either or ay map both x and y into the same target 
name. From this we gain the intuition that substitutions can be quotiented 
according to the way their domains are partitioned into subsets of names sharing 
the same image, no matter what such an image is. 

Definition 3 The name substitution a : Af ^ Af is said to represent the 
partition of N Q Af into the k disjoint and non-empty sets N\, . . . , iff 
Vj, ft- € ft} : j yf h,\!x,y G Nj,\/z G Nh it holds that xa = ya and 

xa yf za. □ 

Given two substitutions cr, tr' representing the same partition of fn(P, Q), our 
next goal is to relate the ground (in)equivalence of Pa and Qa to the (in)equiv- 
alence of Pa' and Qa' . As auxiliary intermediate results, we prove statements 
on the relationship between the strong and the weak behaviour of Pa and Pa' 
with a and a' representing the same partition of fn(P). 

Lemma 4 Let a, a' \ N ^ N represent the same partition o/fn(P). If Pa 
Pi with bn(a) ^ fn(Pcr, Per') and such that (bn(a))<T = (bn(a))cr' = bn(a), then 

by an inference of equal depth Pa' P2 where, for some action 7 and some 
process P' with fn(P') C fn(P) U bn(a), it holds that a = ja, (3 = ycr' and 
Pi= P'a, P2 = P'a' . □ 



Lemma 5 Let a, a' : JV ^ Af represent the same partition o/fn(P). If Pa 
Pi then by a derivation of equal length Pa' P2 where, for some process P' 
with fn(P') C fn(P), it holds that Pi = P'a and P2 = P'a' . □ 



Theorem 6 Let a, a' \ Af ^ Af represent the same partition o/fn(P, Q) and let 
X G Then Pa Qa iff Pa' Qa' . 

Proof (sketch): In the case of strong semantics, we set S = IJ^ where 
5o = 

5„+i = { (Per, Qa) I Per' Qa' and 

a, a' represent the same partition of fn(P, Q) } 

Then S is shown to be a strong late ground bisimulation by proving, by induction 
on n, that P Sn Q implies that: (i) if P — > P' with a yf x{y) and bn(o;) ^ 

fn(P, Q), then for some Q', Q Q' and P' S Q'; (ii) if P P' with 

y ^ fn(P, Q), then for some Q', Q Q' and, for all w, P'{w/y} S Q'{w/y}. 
An analogous proof schema is used for r- forgetting semantics. In those cases, 
by hypothesis, {Pa',Qa') G U for some weak late ground bisimulation U that 
possibly ensures Per' Qa' . We set T = where 
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%=U 

Tn+i = { {Per, Qa) \ Pa' Tn Qa' and 

cr, a' represent the same partition of fn(P, Q) } 

and show that T is a weak late ground bisimulation that possibly guarantees 
Pa Qa. □ 

The above theorem ensures that lots of checks may be saved when deciding the 
non-ground bisimilarity of two processes P and Q. In fact, once Pa x Qa has 
been proved, any other test on Pa' 'P Qa' is superfluous if a and a' represent 
the same partition of fn(P, Q). It is then a matter of isolating a kernel of relevant 
substitutions. To this end, substitutions are grouped into families representing 
a given set of names. 

Definition 7 Let C Af be a set of names and {(7^}^^^. be a family of name 
substitutions ai : JV ^ J\f. Then {ai}^^^ is a partition family of N iff the 
following holds: 

- if IV = 0 then contains only the identity substitution; 

- for each partition of yf 0 into k disjoint and non-empty sets A^i, . . . , Nk, 
there is exactly one substitution in {ai}^^j^ that represents A^i, . . . , Nk- □ 

Notice that an infinite number of distinct partition families of A^ yf 0 there exists. 
However, any partition family of N is unredundant in a very precise sense: it 
contains one and only one representative of each of the possible partitions of N. 
Relying on the notion of partition family, we can eventually justify Claim 0by 
proving the main result of this section. 

Theorem 8 Let P, Q be TT-calculus processes and let x C Also, 

assume x to be the non-ground relation corresponding to the chosen x. Then 
P Q iff Pa X Qa for all a G with partition family of 

fn(P,Q). □ 

As fn(P, Q) is a finite set, any partition family of fn(P, Q) is finite. Hence Theo- 
rem^ provides a finite upper bound to the number of ground bisimilarity checks 
which are necessary to infer full congruence. 

2 Characterizing 7r-Congruences in 7r^-Calculus 

In the following we present the TrCcalculus, a CCS-like process algebra that 
simplifies and generalizes the calculi proposed in |FMQ96t |FMQ9^ . For x G 
{~i., — r}, we show that P x Q coincides with the corresponding CCS- 
bisimilarity of two single TrCprocesses. Equational characterizations of late non- 
ground TT-calculus semantics are also provided. Although only the finite fragment 
of the TrCcalculus is presented here, its semantic coincidence with non-ground 
TT-calculus does hold of the full language. 
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(y)P ^ P' 


iv)P ^ iy)P' 


[x = y]P — > P 


where 







(a, C) = {a,C Ax = y) 
(ar,C[) II (a2,C^) = < 



T[y/w],Ci AC 2 Ax = z) li ai £ {xy,x{y)}, C[=CiAxi 
and ci 2 = z{w), C '2 = C 2 A z [ 

or symmetrically 
otherwise 



Vy{a,C) = 



(t, false) 

{a, C A y ^ z) if a = xz 
{a, C) otherwise 



Oy{a,C) = 



_ / (®( 
“ l(«, 



'{z),C Ay = z) if a = xz 
false) otherwise 



Table 1. symbolic operational semantics 



Processes of the Tr^-calculus are written ^ w P and ranged over by S,S\, 

The right component of the state operator is (essentially) a 7r-calculus 

process, while ^ keeps track of the associations among names carried out in the 
past of the ongoing computation. Name substitutions are never applied to the 
right component of ^ :: P, hence ^ can be viewed as an environment giving 
the actual associations of names. As for the right component P, reasoning up 
to a-conversion, we assume that there is no homonymy either among bound 
names or among free and bound names. But for this requirement, P is defined 
by the usual 7r-calculus syntax added with the new family of prefixes ‘Ay.’. For 
brevity, in spite of these new prefixes, we often refer to the right component of 
any Tr^-calculus process as to a 7r-calculus process. 

The operational semantics of the 7r^-calculus follows the SOS style |™i] 
and is based on a two-stage approach. The first stage consists of the definition 
of a symbolic semantics where transition labels record requirements on names. 
The evaluation of those requirements is one of the main concerns of the top level 
transition system. 

The symbolic operational semantics is given by the axioms and rules reported 
in Tab. Q together with symmetric rules for choice and asynchronous parallel 
composition. Labels, ranged over by to, to', , are pairs of the form (a, C). The 
first component is an action; the second component, called obligation, is a logical 
formula that codes requirements on names. 
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The execution of the prefix Xy results in the action [y] that calls for an 
actualization of the formal parameter y. Differently from the 7 r-calculus, com- 
munication is characterized by one single inference rule. Complete information 
about privacy of names is captured by environments, hence, at this first level, 
communicating private names is considered to be the same as sending public 
channels. Before plunging processes into environments, we only impose a con- 
sistency requirement: no process must be allowed to commit on a link that is 
not known outside. To this end, input and output transition labels include the 
obligation sj,. It demands for a delayed check against the privacy of channel x. 

Left components of tt ^- processes are sets of equations on two distinct entities: 
names and constants. Constants are taken from a denumerably infinite set T> that 
is ranged over by c, ci, C 2 , . . . , and disjoint from the set JV of names. 

Definition 9 An environment ^ is an equivalence relation over AfUl? which is: 

- eonsistent: Ci ^ Cj implies Ci = Cj 

- finitely active: the set {(a, 6) | a ^ 6 and a b} is finite 

We denote by [a]j the equivalence class of ^ containing a. A constant c is active 
in ^ iff there exists y such that y G [c]j, it is inactive otherwise. The identity 
environment is denoted by Id^ . Also, letting , i ?2 be relations over Af U I?, the 
smallest equivalence relation including (i?i U i? 2 ) is denoted by -I- i? 2 . □ 

We let ^ sometimes assume the reading of a partial function. In particular, when- 
ever {y ^ c), we write ^{y) for c, and say that C(— ) is defined on y, denoted by 
^{y)l- Also, in order to guarantee the run-time generation of fresh constants, 
we assume the existence of two specialized functions: alll? and newl?. The ap- 
plication alll?(^) returns the finite set of all the constants that are active in 
the argument, while newl?(^) yields a constant which is inactive in We sup- 
pose that newl? only depends on the active constants in the argument, so that 
alll?(^i) = alll?(,^ 2 ) implies newT>(^i) = newl?(^ 2 )- 

The late 7 r,^-calculus operational semantics is described by the transition rela- 
tion ‘ — >’ defined in Tab. 0 The behaviour of ^ :: P is inferred from a symbolic 
transition of P by invoking suitable functions on environments. The possibly 
many-valued update function rj takes care of extending the environment ^ with 
the name associations activated by the transition. The first step in computing 
T] consists in checking the satisfiability of the obligation. Whenever the require- 
ments expressed by C are not met in the environment the application y returns 
the empty set, so that the 7 r^-process at hand is unable to move. Otherwise, de- 
pending on the structure of the action a, the update function yields a set of 
environments obtained by possibly adding a pair to 

The case when a is a placeholder instantiation is particularly interesting: the 
function 77 yields as many environments as the possible choices of c in allP(^), 
plus a new constant. This corresponds to instantiate y with (possibly a superset 
of) all the free names of the process at hand, plus a new fresh one. The intu- 
itive reason for this relies on the following. Given P', the processes P'{z/y} and 
P'{u/y} have analogous move potentials whenever z,u ^ fn(P'). More precisely 
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^J^{x(y),C) i' 



p(^(y)f)p, evi^,{x{y),C)) 



5(^' ,uj) , , 

iv.P ^ c :: P 



where 

(5^a(7 = case a in 



i-.-.p 

yiaC = -.[CJC ^ 0, 



«(e',(:r(y).C» 



C' :: Ay.P' 



T,T[x/y] 


T 


case OL in 


x{y),xy 




T ■■ {Cl 


x{y) 


ii.x) 


x[x/y] ■■ {C + {y,x)} 


[y] 


[C(y)l 


x{y),xy : i{y)i — > { 


end_case 




x{y) ■■ {Cl 



Uce(all©(e) U new©(5)) + iV ’ ^) } 



end_case 



with 

|(7]5 = case C in 

true : tt 
false : ff 

ff 

X = y : X ^ y — > tt , ff 
x^y :x^y — >ff, tt 
C 1 AC 2 : [Cile and IC 2 IC 
end_case 



Table 2. definition of 



either P'{z/y} or P'{u/y} have the same action capabilities as P' has. Then, 
whenever P performs the input x{y) transforming into P' , the relevant instan- 
tiations of y in P' {w/y} are given by w € fn(P') C fn(P) U {y}. The definition 
of 77(^, [y], C) is meant to mimic those instantiations. The function alll?(^) plays 
the role of fn(P) while newl?(^) stays for the set {y}. At any time during exe- 
cution only finitely many constants are active. Hence finite 7r^-processes (or, in 
the full calculus, processes with at most guarded occurrences of the replication 
operator) can always be represented by finitely branching transition systems. 

The result function 5 yields either r or the constant (s) associated with the 
relevant name(s). Observation labels are given by the grammar p ::= r | c | [c] | 
cc' I cc'. 

A last remark on the operational semantics of the calculus is about the first- 
class role of name instantiation. Correspondingly to the execution of the symbolic 
action x{y), process ^ P evolves to :: Xy.P' whose right component is an 
explicit temporary function of the parameter y. The next - compulsory - move 
of :: Xy.P' is the instantiation of y. 

Notice that, although the first level operational semantics is symbolic, the tt^- 
calculus transition system is labelled by concrete events. This allows us to set, as 
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extensional semantics of the calculus, the usual strong, weak, and observational 
CCS equivalences |Par81llCTIIH^IHM85| . denoted by and respectively. 



2.1 Main Results 

In |EMCj96[ |EMCj95| calculi analogous to the one introduced above were used to 
characterize ground 7r-calculus semantics. Those calculi were not general enough 
to encompass coincidence with rr-congruences. Here we fill this gap, and charac- 
terize TT-calculus non-ground semantics, either strong or r-forgetting. 

Relying on the results of Section ^ we show that A-abstractions can be 
exploited to capture the intrinsic and permanent functional dependency of tt- 
processes on their free names. This is mainly due to the fact that environments 
encode name substitutions in a genuine way. In particular they naturally repre- 
sent, via equivalence classes, partitions of sets of names. 

Definition 10 The environment ^ represents the partition oi N Q Af into the 
disjoint and non-empty sets Ni, . . . , Nk iff the following holds: 

- IV = ([c]{ n Af); 

- for all j G {!,... ,k} there exists c G alYD{^) such that Nj = ([c]{ n N) . □ 

A more effective feature can be modelled in 7r^-calculus. Consider the process 
S'o = (Idf :: Ax. Ay. Az. nil). No constant is active in Id^. Then, when the leading 
prefix Ax fires, the name x is deterministically associated with ci = newl?(ld£:). 
Correspondingly, Sq is transformed into S\ = (Id^ -I- (x,ci) :: Ay.Az.nil) with 
(Idf:-|-(x, Cl)) representing the only possible partition of {x}. Since the actual en- 
vironment contains one active constant, the symbolic step labelled by ([y], true) 
induces now two distinct transitions from S\. The one is labelled by [ci], the 
other is labelled by the concretion of a new constant C 2 . The two derivatives of 
S\ have a common right component (Az.nil), but their environments are dis- 
tinct because of the association of y with different constants. Such environments 
represent the partitioning of the set {x, y} into {x, y} and into {x} U {y}, respec- 
tively. Each computation goes on by firing the Xz prefix, and the environments 
of the derivative processes represent all the possible partitions of {x, y, z}. This 
sample argument is made precise by the following statement. 

Proposition 11 Suppose that ^ :: Xy.P — ^ C P> then the following holds. 

1. If f = Id£ then p = [newl?(ld£)] and represents the only possible partition 

of{y}- 

2. If f, represents the partition of N into A^i, . . . , Nk, with y ^ N, then 

- if p = [c] with ([cJ^nAf) = Nj, then represents the partition of NU{y} 
into the k sets Ni, . . . ,NjU {y}, . . . , N^; 

- if p = [newl?(y] then represents the partition of NU{y} into the k + 1 

sets Ni,... ,Nk,{y}. □ 
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Proposition highlights that environments representing partitions of sets can 
be effectively generated by sequential compositions of A-abstractions. Coinci- 
dence between 7r-calculus and 7r^-calculus is obtained by suitably combining this 
feature with the fact that the congruence P x Q is expressible as conjunction 
of Per X Qa for all cr in a partition family of fn(P, Q) (Theorem 0 . 

Definition 12 Let P be a rr-calculus process, and £ be a list of names. The 
set of names that occur in £ is denoted by n(£). The X-closure of P w.r.t. £ is 
defined as A_clos(P, £) where 

A_clos(P, [ ]) = P 

A_clos(P, [y,£]) = A_clos(Ay.P, £) 

with [ ] denoting the empty list, and [__]] denoting the ‘cons’ list operator. □ 

Theorem 13 (coincidence with late non-ground semantics) 

Let P, Q be n-calculus processes and let C he a list s.t. n(£) = fn(P, Q)- Then 

1. P Q iff Idf :: A_clos(P, £) ~ Id^ :: A_clos(Q,£) 

2. P ~lQ iff Id£ :: A_clos(P, £) ~ Idf :: A_clos(Q,£) 

3. Pc^r^Q iff Me ■■■■ A_clos(P, £) Id^ :: A_clos(g, £) □ 

Reasoning about congruences compels to take into account that putting a process 
into an arbitrary context might cause arbitrary instantiations of its free names. 
Taking A-closed terms corresponds to this intuition: processes are interpreted as 
permanent functions of their free names. 

Assuming that card(fn(P, Q)) = n, there are n! distinct permutations of the 
elements in fn(P, Q). Hence there exist n! distinct lists built out of fn(P, Q). 
Theorem El asserts that the congruence of P and Q can be checked relying on 
one of those lists, chosen at random. The role played by £ in the definition of 
A_clos(P, £) is to generate the environments that represent a partition family 
of fn(P, g). The wanted effect is independent on the actual choice of the list. 
Whenever the same £ is used in the definition of either the A-closure of P or the 
A-closure of g, we are guaranteed that the bisimilarity of the pair of processes 
(idf :: A_clos(P, £),Id£ :: A_clos(g,£)) is factorized into the bisimilarity of all 
the pairs in Up(?p ■■ Q) where p ranges over the possible partitions of 

fn(P, g) and represents the partition p. 

The proof of Theorem El relies on the definition of encodings of each calculus 
in the other, so that, for instance, environments are translated into proper sub- 
stitutions and consistent information about the privacy of names is retrieved. A 
key point of the proof is the characterization of operational correspondences be- 
tween related terms. The observability of the actualization of input parameters 
plays a central role, too. On the 7r-calculus side, late bisimulation input clauses 
use a sequence of quantifiers of the shape ‘V3V’, with the last quantification re- 
lating to the placeholder instantiation w. On their side, CCS-like bisimulations 
can express universal quantifications only on the set of the possible next moves. 
Hence forcing the parameter actualization to become a distinguished operational 
step is the only way to mimic the above ‘Vw’ in a CCS-like setting. 
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A : {U) C :: o;.P = (C' :: P) if 7^ {^V), C) 

(V) C :: {x{y),C).P = ©e'6,,(e.<.C),C))^(e'-(*(y).C^));(C' :: (M,true).P) 
(P)e::(Pi+P2)=C:: A©^::P2 



(Cl) Pi + P2 = P2 + Pi 

(C2) (Pi + P2) + P3 = Pi + (P2 + P3) 

(C3) P + P = P 

(C4) P + nil = P 

(P) [x)P = (u^)P + {o,)P 
(EX) Pi I P2 = Pi JJ P2 + P2 JJ Pi + Pi 



(Cl') Pi © S'2 = S'2 © Pi 

(C2') (Pi © P2) © P3 = Pi © (P2 © P3) 

(C3') P©P = P 

(C4') P©e :: nil = P 



P2 



(Al) [x = y] uj.P = fJ,y{io).P 
(A2)a..PiJJP2 =a;.(Pi | P 2 ) 
(j 43) oil. P i II UJ2-P2 = 

(oil II tJ2).(Pl I P2) 

(y44) [v^){uj.P) = U^(uj).{x)P 
(45) (Oj:)(cJ.P) = Ox{uj).P 



(PI) [x = y\{Pi + P 2 ) = [x = y\Pi + [x = y]P 2 
(P2) (Pi + P 2 ) J| P = Pi J| P + P 2 J| P 
(P3) (Pi + P 2 ) II P = Pi II P + P 2 II P 
(P4) P II (Pi + P 2 ) = P II Pi + P II P 2 
(P5) (^’x)(Pl + P 2 ) = (^’x)Pl + (l'a:)P2 
(P6) (Oj;)(Pl + P 2 ) = {Ox)P\ + {Ox)P 2 



(IN) [x = y\ nil = (v^) nil = (ox) nil = nil J|P = P || nil = nil || P = nil 

Aw :(n) p;x;P = p;P 
(T2) P©t;P = t;P 

(P3) p; (Pi © t; P 2 ) © p; P 2 = p; (Pi © x; P 2 ) 

Table 3. axiom systems 4ls> -A-w 



2.2 Equational Characterizations 

In jnSnni, rr-calculus congruences have been characterized in terms of symbolic 
bisimulation The perspective of our encoding is orthogonal to Lin’s sym- 

bolic view. Reasoning in terms of Tr^-calculus semantics moves to the 7r-calculus a 
number of verification algorithms and general results that have been developed, 
over the years, for CCS and its theory. 

A significant example of the relevance of inheriting the general CCS meta- 
theory is the following equational characterization, based on the axiom system 
drawn in Tab. 0 

Theorem 14 (equational characterization of late non-ground semantics) 

Let P, Q be finite 'K-calculus processes and let C he a list s.t. n(£) = fn(P, Q). 
Then 

1. P Q iff As b Idf :: A_clos(P, £) = Idf :: A_clos(Q,£) 

2. P iff As, Aw b Idf :: A_clos(P, £) = Idf :: A_clos(Q,£) □ 

The axiom system As in Tab. 0 is defined after the following observations. The 
symbolic operational semantics of Tab. 0 fits in a simple generalization of the 
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De Simone format ESHS- By this, a head-normalizing axiom system for the 
TT-component of any 7r^-process can be stated by imposing the monoidal laws 
for summation (Cl — C4) and exploiting the procedure presented in mm- 
The idea is to introduce auxiliary operators in order to break down those process 
constructor whose operational behaviour is described by more than one inference 
rule (i?, EX). Auxiliary operators are then pushed as deep as possible inside the 
structure of the term by means of action axioms ( A1 — A5) and distributive laws 
(Cl — C6), till they actually disappear, due to inaction equations (IN). 

Once its right component has been reduced into head normal form, any finite 
TT^-process can be transformed into a finite labelled tree given by the grammar 
S ^ P \ p-, S \ S (B S, where is a prefixing operator, and ‘0’ is a non- 
deterministic choice constructor, and ^0 is assumed to be the neutral element of 
0, i.e. the 7r^-process ^ :: nil for an arbitrary instantiation of Now, reducing a 
TT^-calculus process into a sum of prefixes only requires: two axioms correspond- 
ing of the operational rules that define the top level transition relation {U,V)-, 
one equation describing the distributivity of the low level choice operator over 
the state constructor (C); and the monoidal laws for the top level summation 

(CT-CT). 

Eventually, Aw simply consists of the Milner’s r-laws for observational con- 
gruence. 

3 Concluding Remarks 

The main contribution of the paper is the finitary nature of the characteriza- 
tions of late, either strong or weak, 7r-calculus congruences. Target languages 
of those characterizations are either the 7r-calculus itself or the TrCcalculus, a 
generalization of the calculi proposed in |kMq96t|FM(^ . 

A characterization of weak 7r-calculus non-groundness already appeared in 
pi 3n95j . Tjin’s formulation is in terms of svmbolic bisimulation mm- Our per- 
spective is orthogonal to that symbolic view. Non-ground 7r-calculus semantics 
are rephrased as CCS equivalences that come equipped with well-established 
mathematical properties and verification tools. The axiomatizations we pre- 
sented are relevant examples of the significance of re-using the general CCS 
meta-theory. 

Relating to the full 7r-calculus, it was shown that each late non-ground equiv- 
alence can be expressed by closing the corresponding ground bisimilarity under 
the substitutions of a suitable finite family This result can be directly 

instantiated to early semantics, either strong or r-forgetting. So it gives insights 
on the complexity of checking a large spectrum of 7r-calculus congruences. 

The TT^-calculus view allowed processes to be explicitly interpreted as tem- 
porary functions of input parameters and as permanent functions of their free 
names. One of the advantages of adopting this perspective is that the mere 
evolution of a A-closed term induces the generation of (the environments corre- 
sponding to) the substitutions { 0 }, needed to check non-groundness. This adds 
effectiveness to the first alternative characterization we provided. 
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Here we dealt only with the finite fragment of the Tr^-calculus, and tackled 
only its late semantics. However, the coincidence of non-ground 7r-calculus and 
TT^-calculus does hold of the full language |Cjua Further, rr-calculus congru- 
ences of the early family can be characterized using an approach analogous to 
that we adopted for the late case. The early view can be retrieved as a special 
case of late Tr^-semantics by minor changes to the top level transition system 
|Cjua96| . In the same spirit as the free input actions of those changes 

essentially amount to make atomic any input step and the subsequent instanti- 
ation move. 
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Abstract. In most algebraic specification frameworks, the type system 
is restricted to sorts, subsorts, and first-order function types. This is in 
marked contrast to the so-called model-oriented frameworks, which pro- 
vide higher-order types, interpreted set-theoretically as Cartesian prod- 
ucts, function spaces, and power-sets. This paper presents a simple frame- 
work for algebraic specifications with higher-order types and set-theoretic 
models. It may be regarded as the basis for a Horn-clause approxima- 
tion to the Z framework, and has the advantage of being amenable to 
prototyping and automated reasoning. Standard set-theoretic models are 
considered, and conditions are given for the existence of initial reducts of 
such models. Algebraic specifications for various set-theoretic concepts 
are considered. 



1 Introduction 

There are two main schools of thought regarding the formal specification of 
abstract data types: the model-oriented and the property-oriented. In a model- 
oriented specification, the emphasis is on specifying data types as set-theoretic 
structures (products, power sets, etc.), the operations of the data types then 
being defined as particular functions on these structures. The underlying logic 
for reasoning about such a specification is a powerful higher-order logic, e.g., 
based on ZF set theory. In a property-oriented specification, one generally tries 
to avoid choosing an explicit representation: types are left abstract as so-called 
sorts — sometimes equipped with a subsort inclusion relation, but otherwise un- 
structured. The operations are specified by axioms that relate them to each 
other, usually including the main intended algebraic properties. The underlying 
logic is often a modest Horn-clause fragment of equational first-order logic — 
supplemented by an induction rule when dealing with initial algebra semantics 
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rather than loose semantics. In practice, some model-oriented specification lan- 
guages (such as Z) do allow types to be left abstract (or ‘given’), with the op- 
erations on them specified by axioms. Moreover, the use of auxiliary (‘hidden’) 
sorts and operations in property-oriented specifications can give these a model- 
oriented fiavour. There are also some wide-spectrum languages (e.g., RSL, Spec- 
trum) which encompass both approaches, allowing model- and property-oriented 
specifications to be mixed together. 

It seems to us that both the model- and property-oriented approaches have 
their advantages and disadvantages. In particular, we regard the restriction to 
Horn-clause logic in the latter as beneficial, since not only are the consequences 
of a specification much more obvious than in full higher-order logic, but also au- 
tomated reasoning and prototyping are feasible. The resulting existence of initial 
models is useful (but does not preclude considering loose semantics of specifi- 
cations). The usual restriction to first-order functions and unstructured sorts in 
property-oriented specifications, however, we regard as a definite disadvantage. 

This has led us to investigate an intermediate or hybrid approach: 

— Types may be polymorphic, and include abstract types as well as the concrete 
set-theoretical product, power-set, and function types. 

— Operations may be higher-order and partial. 

— The only built-in relations are equality, set membership and definedness (the 
last merely abbreviates an equality). 

— Formulae are restricted to Horn clauses (no disjunction, variables are uni- 
versally quantified). 

— Models have set-theoretic foundations. 

— Specifications have initial models (when consistent). 

— Specifications are amenable to prototyping and reasoning using rewriting 
and saturation techniques. 

The main novelty of our approach is its treatment of set-theoretic concepts 
using the rather weak logical framework of (equational) Horn clauses. It will be 
helpful to consider altogether three kinds of models of specifications: arbitrary 
algebraic models, where values of set-types do not necessarily have any concrete 
set-theoretic structure at all; labelled-set models, where they are pairs of arbi- 
trary labels and ordinary sets; and standard set-theoretic models, where sets 
have neither labels nor extra elements. For the algebraic and labelled-set models 
we obtain initial models, and we give conditions such that the standard set- 
theoretic models have initial reducts. The conclusion is that when sets are used 
essentially as types, and their equality is of no concern, one need only consider 
the standard set-theoretic models of our specifications. 

Thus a framework based on our approach could be attractive for those who 
prefer the concrete, higher-order, set-theoretic nature of B or Z, but who also 
like the possibility of automated reasoning and prototyping for exploring the 
consequences of (requirements or design) specifications. The price to be paid 
for the latter is the restriction to Horn clauses, and the avoidance of conditions 
involving equality between sets that do not necessarily have the same members 
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in all models. As a compensation, the models of our specifications are of a much 
simpler nature than those of Z specifications. 

Plan of the Paper. Section O explains the syntax of our proposal for algebraic 
specifications with (higher-order, polymorphic) set-theoretic types, giving some 
simple examples. Section Eldefines the notion of a presentation. Section Elgives a 
deductive system for type judgements. Section Elpresents our main proof system 
for reasoning about the consequences of specifications. Section El investigates the 
three kinds of models mentioned above. Section 0 outlines how the language 
presented here can be extended to cater for explicit subset inclusions, and indi- 
cates how accurately other familiar set-theoretic constructs can be specified in 
this framework. Finally, Section 0 discusses the relationship of our framework to 
Membership Equational Logic 0 and other work, and considers possible direc- 
tions for future developments. Due to space limitations all proofs of results are 
either sketched or deferred to the extended version of this paper. 

2 Specifications 

Some simple examples of specifications are given in Tables0El They are intended 
mainly to illustrate the basic form of our specifications; this is reminiscent of 
(non-imperative) B and Z, although there are also some significant differences, 
such as our treatment of partiality, polymorphism, and overloading. The rest of 
this section gives an informal explanation of the syntax and semantics of the 
specification language. 



Table 1. Natural Numbers 



Naturals 

type N 
0 G N 

succ G N - 1 ^ N 
pred G N - 1 ^ N 

V n G N • 

pred{succ{n)) = n 

pred(n) J, succ{pred{n)) = n 

pred{0) ]. T 



As illustrated in Table 0 a specification here is mainly just a set of Horn 
clauses where the atomic formulae are equations ti = t 2 , set memberships f G s, 
or definedness assertions f J,. A Horn clause with conditions Ai, ..., and 

conclusion A is written AiA...AA„=^A; when n = 0 it is written T A, 
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or simply A. Negative clauses, asserting that the conditions cannot all hold 
together, are written 7li A . . . A An -L. 

Terms t are formed from constants and variables by the two binary opera- 
tions of function application ti(t 2 ) and pairing (ti, 12 ). Only one pair of paren- 
theses is needed in f{{x, y)), and (x, {y, z)) may be written (x, y, z). Mixfix no- 
tation is allowed for application: when a function constant / has n place-holders 
(written the application f{h, . . . ,tn) (or f{ti) . . . (t„)) may be written as / 
with each place-holder replaced by the corresponding argument term ti. E.g., 
_ -I- _(m, succ{n)) may be written m + succ n, as illustrated in Table 0. 



Table 2. Natural Numbers with addition 



NaturalsPlus 

Naturals 

_-|-_€NxN-i^N 

V m, n € N • 

rra + 0 = m 

m -1- succ(n) = succ(m + n) 

pred(n) I ^ m + pred{n) = pred{m + n) 



The function constants _x_, P_, used for expressing sets, have inter- 

pretations such that for any sets S, T : 

— the members of S x T are all pairs (s, t) with s G S, t G T; 

— all members oi S T represent partial functions which, when defined, map 
values in S to values in T ; 

— all members of PS” are subsets of S. 

By letting 5 -h- T and P S return subsets of the usual results, we admit models 
with countable universes. Meinke H g] uses a similar technique for the type 
constructors in his approach to higher-order algebra. 

We distinguish some terms denoting sets as types, using them in checking 
the consistency of use of symbols in specifications. An abstract ‘given’ type S 
is simply a set constant whose members remain to be specified; it is introduced 
by writing type S, as with N in Table E Applications of the function constants 
_x_, P_ then generate concrete set-theoretic types based on the abstract 
types. E.g., N -i-> N and N x N - 1 ^ N are types in Tables H and 0 (We let _x_ 
have higher precedence than and group both of them to the right; P_ has 
higher precedence than _x_.) The type of the constant N itself is implicitly PN; 
the membership N G PN, used later, might look a bit strange, but it merely 
corresponds to the inclusion N C N, implying that N must denote a set. 

All the constants c used in a specification are required to have declared types, 
written as (unconditional) memberships of the form c G T, where T is a type 
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term. The assertion c G T implies the definedness of c (and of T, but in fact 
type terms T always have defined values). 

We follow the Z style of collecting all the declarations concerning types at 
the head of the specification, separating them from the body by a short line. 
This style has the benefit of clearly exhibiting all the used constants, together 
with their types. Furthermore, since declarations are generally just membership 
assertions, they may be considered as ordinary clauses, which allows one to 
ignore the separation between the head and the body of the specification when 
considering its logical consequences. 

We also follow Z in the way that a specification may be named. A reference 
to its name in the head of another specification is equivalent to inserting a copy 
of the named specification (putting the head and body in the right places, and 
renaming any clashing variables). Thus the specification in Table Q extends that 
in Table E 

Although all types are sets, not all sets need be types. Table 0 illustrates 
the specification of the sets Even and Odd as subsets of N. Whereas checking 
whether a term has a particular type is decidable (as we shall see in Section 0), 
it is in general undecidable to check membership of a set, since a membership 
assertion may have equations as conditions, as well as other memberships. 



Table 3. Even and Odd Numbers 



EvenOdd 

Naturals 

Even £ PN 
Odd £ PN 

V n £ N • 

0 £ Even 

n £ Even suce{n) £ Odd 
n £ Odd ^ suec{n) £ Even 



The clauses in the body of a specification generally involve variables, and we 
require the types of the variables to be declared at the top of the body, again 
writing them as memberships, e.g., n £ N. For conciseness, several variables of 
the same type may be declared together, e.g., m,n G N. We follow the Z style 
by enclosing the list of type memberships in V . . . •, and by using semicolons as 
separators. Apart from being used in type-checking, each variable membership is 
regarded as an implicit condition of all the clauses in the body of the specification 
(or of just those in which the variable occurs, if one prefers, as the choice here 
doesn’t affect the consequences or satisfaction of the extended clauses). Note 
that the value of a variable can never be undefined. 
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Type variables are allowed too, and used as arguments of the type construc- 
tors _x_, P_ to provide concrete polymorphic types. E.g., the first projection 
function first for pairs has type X x Y -h- X, where X and Y are both type 
variables. Since type variables are needed for use in declarations, they are listed 
before them, at the top of the head of the specification. 

Table 0 gives a specification of the predefined constructors for polymorphic 
set-theoretic types: V x W, X -h- Y, FZ, and of the projection functions for 
pairs: first, second. This anonymous specification is assumed to be implicitly 
referenced by every other specification, so that its declarations and clauses are 
always available. 



Table 4. Predefined constants 



ytype V, W,X, Y,Z • 
type V X W 
type X -H- T 
type P Z 

first G V X W -1^ V 
second G V x W W 

ypGVxW-,fGX^Y- 
V G V\ w G W\ X G X- z G Z- 

Q GFV-, RgFW\ S G PX; T GVY- U,U' GFZ- • 
vGQAwGR^{v,w)gQxR 
p G Q X R ^ first{p) G Q 
p G Q X R ^ second(p) G R 
{first{p), second{p)) = p 
first{v, w) = V 
second{v, w) = w 

JgS-i^TAxGSA f{x) I => f{x) G T 
zGUAUgPU'^zGU' 



Type variables are also used to declare abstract polymorphic types, such as 
Seq{X) in Tabled In fact Seq is interpreted as a (total) function from sets to sets, 
but in general we only need to consider its application to particular argument 
type terms, e.g., Seq{N), Seq{Seq{X)). Notice that we only need to reference 
GenericSequences, after which we may use Seq{X) with arbitrary arguments X; 
the treatment is different in Z, where a specification using GenericSequences 
would explicitly instantiate X to a particular type. 

TableElillustrates also the possibility of overloading, or ad hoc polymorphism, 
by declaring a second type for the function (constant) _ -I- _. In models of this 
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Table 5. Generic Sequences 



GenericSequences 

NaturalsPlus 
V type X • 

type Seq{X) 

0 e Seq{X) 

(_) G A Seq{X) 

- + -£ Seq{X) X Seq{X) ^ Seq{X) 

1 _ I e Seq{X) ^ N 

Vs, t, w G Seq{X)\ x G X • 

{) + s = s 
s + {) = s 

s + {t + u) = {s + t) + u 

10 1 = 0 
I (a;) I = succ(O) 

0 + 0 = l'5| + l0 



specification, is interpreted as a single partial function on the entire universe, 
returning only results in N when applied to arguments in N, and only results in 
Seq{X) when applied to arguments in Seq(X) (for any set X). Had we followed 
Z in interpreting S T a,s a, subset of P(5 x T), we would have needed a more 
complicated interpretation of overloaded functions (as functions from types to 
the actual functions of interest) . 

The concrete types V x W, X -i-i Y, and VZ never have any values in 
common. Thus a specification where an overloaded constant is declared, say, 
with both a pair type and a set type, is simply inconsistent, with no models 
at all. Similarly, abstract types never have any values in common with concrete 
types (although they may have values in common with other abstract types). 

The use of higher-order functions in our framework is illustrated in Table El 
The somewhat tedious definedness conditions are needed because equations are 
interpreted existentially, implying that their terms have defined values. They 
would not be needed if / were restricted to total functions (types of total func- 
tions are considered briefly in Section Q) . One could also eliminate the need for 
definedness conditions by introducing so-called strong equations, which hold also 
when the values of both terms are undefined. 

This completes the informal explanation of our syntax and its intended in- 
terpretation. We believe that many existing (non-imperative) Z specifications 
could be reformulated in our language. The following sections focus on the for- 
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Table 6. Mapping Generic Sequences 



Mapping GenericSequences 

GenericSequences 
V type X, Y • 

mapseq £ (X -i^ F) -i-> Seq{X) Seq{Y) 

£ X ^ Y-, s,t£ Seq{X)- x£X • 
mapseq /() = () 
f{x) i mapseq f (x) = {f{x)) 
mapseq / s i A mapseq / t J, => 

mapseq f {s + t) — mapseq f s + mapseq f t 



mal foundations: type-checking, proof system, and models. But first, let us strip 
away the concrete syntax of specifications to obtain abstract presentations^ 



3 Presentations 

As explained in the preceding section, a specification SP (always extending Ta- 
ble 0) is mainly a set of Horn clauses, separated into two parts. It determines an 
abstract presentation as follows: 

— iF is the set of all the (untyped) constant symbols declared by memberships 
c G T or by type declarations type c in the head of SP. The type symbols 
form a distinguished subset Tt of T . For a polymorphic type declaration 
type F(Ai, . . . , A„) we let Tt include the function symbol F . 

— A is the set of all the (untyped) variables declared by variable memberships 
X G T va the body of SP or by type variable declarations type X in the head 
of SP . The type variables form a distinguished subset Xt of X. 

— At is the set of all the membership atoms specified in the head of the spec- 
ification, together with implicit memberships determined by type declara- 
tions: a declaration of an abstract type constant c gives rise to c £ P c; 
and a polymorphic type F(Ai, . . . , A„) provides F gPAiX...xPA„-h- 
P(F(Ai, . . . , A„)), as well as F(Ai, . . . , A„) |, the latter ensuring the totality 
of F . Moreover, for each type variable X in Xt, M. includes the membership 
atom A £ PA. 

— is the set of Horn clauses in the body of SP with the declarations of 
variables in the body added as extra conditions. 



® Presentations could be divided into the signatures and sentences of an institution, 
but the details are not relevant here. 
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The following negative clauses are added to H'. 

pGQxRApGS-i^T^l. 
f € S ^ T Af €VU ^ J. 
zGVUAzgQxR^I. 

together with similar clauses expressing the impossibility of values common to 
both concrete and abstract types, such as2GNA2GPf7=i>_L. This reflects 
the intention of keeping pairs, functions, and sets distinct from other values in 
our models. 

Let (resp. Tt) be the set composed of all user-defined and predefined 
constants T (resp. J^t) and of two binary operators, namely application •(•) and 
pairing (•,•). T(iF, ff) denote the set of terms built from the set of variables X 
and T . The set of type terms T {Tt ,Xt) is similarly built from Tt ■ 

Notice that whereas a specification SP involves declarations of typed symbols, 
the declarations {T,X) of the corresponding abstract presentation are untyped, 
and the original type information has been replaced by membership axioms. 
Thus standard results and tools pertaining to unsorted Horn clause logic may 
be applied to our presentations. Nevertheless, as we shall see in the next section, 
we can still check that our presentations are well-typed. 

Substitutions are mappings from X to T{T , X), mapping variables to terms, 
such that type variables are mapped only to type terms. They are denoted 
by Greek letters. SUBST{T,X) denotes the set of such substitutions defined 
on T{T,X). The domain of cr, written T>om{a), is defined as the set {x G 
X I (j{x) yf 2 ;}, and is assumed finite. 



4 Type Checking 

In this and the following sections we assume given a fixed presentation V = 
(T ,X determined by some specification as explained in Section 0 

Let us introduce type judgements of the form t : T, where t is any term 
but T is restricted to type terms. Our deduction rules for such judgements are 
given in Table 0 For each membership axiom of the form t G T in , we have 
t : T as an axiom too. However, note that t G T is only a consequence oi t : T 
when the value of t is defined. The axioms Pair, Appl in Table Q reflect that 
the judgement t : T is merely a decidable approximation to t G T, disregarding 
whether the values of terms are defined, in contrast to the corresponding clauses 
given in Table 0| above. Note that we deliberately leave out the potential typing 
axiom: x : T A T :PT'=>a;: T'. Thinking of T : P T' as a type inclusion 
T Q T' , such an axiom would merely let us deduce larger types from smaller 
ones. 

Definition 1. A term t is well-typed if one ean deduce with the typing deduction 
rules in Tahle^that t : T. Then T is called a type oft. 
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Table 7. Deduction rules for type-checking 



Axioms: 


t \ T if (t G r) is in At 


Pair: 


X ■. X A y. Y ^ {x,y) : {X X Y) 


Appl: 


f :X ^ Y Ax: X ^ f{x) : Y 


Subst: 




Cut: 


G A L' ^ L, G' ^ L' 




G /\ G' ^ L 



Due to overloading of constants, and to substitutions for type variables in 
polymorphic types, a term may have many types. Checking whether a term t is 
well-typed amounts to find solutions of the goal t : X where X is a variable, in 
the Horn theory given by the clauses in Table 0 which can be done by resolution. 

Proposition 1. Assuming that the declarations in a presentation provide a fi- 
nite number of membership axioms for each constant and variable used, there 
exists a procedure to enumerate the set of types of any term. This procedure 
terminates, so it is decidable to check whether a term is well-typed. 

Proof: By resolution in the Horn clause theory defined by the axioms of Tabled 
we can enumerate the solutions of a goal t : X where X is a variable. In this 
process, variables in t are considered as constants and cannot be instantiated. 
The procedure terminates since there is a finite number of typing axioms 
for constants, and, in each resolution step using a non-atomic clause, the 
structural complexity of terms to be typed strictly decreases. □ 

5 Proof System 

The proof rules shown in Table 0 are for a deduction relation "P h ^ taking two 
arguments: a presentation V and a formula T>. V means that one can derive 
T> by applying rules in Table 0 

The same set of formulas could be deduced with a slightly different set of 
deduction rules where Subst, Cut and Paramod are replaced by a resolution 
rule and a paramodulation rule involving unification of atomic formulas and 
terms. 

The meta-variables G, G' range over possibly-empty conjunctions of atomic 
formulae (the empty conjunction is written T) and L, L' may be a single atomic 
formula or _L. Recall that an atom L is identified with the Horn clause T => L. 

Thanks to the paramodulation rule Paramod, it is possible to deduce in 
this proof system formulas with apparently non well-typed terms. Let us consider 
types A, B, G , membership declarations aGA, aGB,bGB,bGG,fGA-i^A 
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Table 8. Deduction rules for presentations 



WellDef: 


if L[t] is an atom containing t as 


a sub-term 


PartialRef: 


t 1 




Axioms: 


G^L if (G^ i) is in HUM 




Subst: 


G ^ L, o-(x) J, for all x in T>om{a) 


if cr is in SUBST{T, X) 


c{G) => cr(Z/) 


Cut: 


G A L' ^ L, G' ^ L' 
G AG’ ^ L 




Paramod: 


G -^[^1, G' ^ {s = t) 
G AG' ^ L[t] 





and an equality a = b. We get /(o) : A and /(a) S A, then /(&) S A using 
Paramo d, although f{b) is not well- typed. 

The next propositions state relations between type judgements and formulas 
deduced in the proof system. 

Proposition 2. Let V be a presentation, and T any type term in 
other than a variable. Then V T 1. 

Proof: (Sketch) Existence follows from the memberships in M determined by 
type declarations, using the rules WellDef and Subst. □ 



Proposition 3. Let V be a presentation, and t, T any terms in T{T,X). Sup- 
pose V \~ t : T (from Table 0), as well as V b t I (from Table |^. Then 
VLtGT. 

Proof: (Sketch) Any proof of t : T can be converted into a proof of t G T, 
using WellDef to provide the required existence of subterms. □ 



6 Models 

We are interested primarily in standard set-theoretic models, where values of 
set-types are actually ordinary sets. But in order to obtain our initiality results, 
we shall consider other classes of models as well. 

6.1 Algebraic Models 

The first class of models we consider is a class of algebraic models I, namely un- 
sorted partial first-order structures. In these models, = is interpreted as identity. 
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I as existence of a value, G by a binary relation , and constants c by val- 
ues . Homomorphisms are classical ones that, by construction, preserve type 
values and definedness. 

Formula satisfaction is written X \= <P, ot V \= 'P in case all models of V 
satisfy the formula P. Let Alg('P) denote the class of all partial iF-structures 
that satisfy all formulae in V. 

Since axioms in A4 U of a presentation V are Horn clauses, the class of 
unsorted partial iF-structures satisfying AiUH has initial models (provided that 
the set of axioms is consistent). 

Let T(T^) denote the initial iF-structure of Alg(F). It may be constructed 
from equivalence classes [t] of those terms whose existence follows from V, where 
two terms t 2 are deemed equivalent when their equality follows from V. 

Theorem 1. LetV he a presentation. The deduction rules in Tableware sound 
and complete, i.e. for any atomic formula tp,V\=tjjijfV\-'ip. 

Proof: Since T(P) is an algebraic model, iiV \= tp, then T{V) \= if’. By defini- 
tion of T{V), for any atomic formula ip, T{V) \= tp iS V tp . □ 

The following definition plays an important role in relating algebraic models 
to models with set-theoretic structure: 

Definition 2. Let I be an T -structure in Alg(P). The set-like values of I are 
those values s in X such that s (v) for some value v in X. 

It follows from Proposition 0 that in a model of a presentation, the value of 
any ground term of type P T for some T is set-like, when defined. 

6.2 Labelled-Sets Models 

Now we restrict the class of algebraic models by imposing that set-like values (cf. 
Definition HD are interpreted as labelled sets of values. A labelled set is denoted 
by s’" where * is the label. 

Two labelled sets are equal if their underlying sets are equal and their la- 
bels are identical. The membership predicate G is interpreted by ordinary mem- 
bership between values and the underlying sets, thus ignoring the label. Let 
LSAlg(P) be the class of all labelled-set models that satisfy V. From T(fP), let 
us now build a labelled-set model S{V) isomorphic to X'{V). First let us choose 
the set of labels as the set of equivalence classes of X'ifP). Then the idea is to 
associate to any term t : V{T) a labelled set with label [t], and whose elements 
are values that are provably members of t. 

Let us now formally define S(V). The carrier of S{V) contains equivalence 
classes of T(P) as atomic objects and labelled sets of values. Let us consider 
the mapping h : T{V) S(V) defined as follows: if t : P(T), then h{[t]) = 
{h{[u]) \ V L u G else h{[t]) = [t]. 

Proposition 4. In S(V), two labelled sets are equal iff their labels are equal. 
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Proof: If two labelled sets are equal, their labels are equal by definition. 

Conversely assume that two labels are equal: [ti] = [12], i.e. P h = t2- Let 
us define si = {/i([m]) | V 'r u & ti\ and S2 = {/i([t']) | V h v e t2}- For 
all h{[u]) in si, from u G ti and ti = t2, u G t2 is deducible by Paramod. 
So /i([w]) is in S2 for all it, hence si is included in S2- Similarly, S2 is included 
in si. □ 

Thus h is an isomorphism and we get: 

Proposition 5. S{V) is initial in the class of labelled set models LSAlg('P). 

Proof: (Sketch) S{V) is isomorphic to T{V) which is initial in the class of 
algebraic models of V. S{V) is also a labelled set model and is thus initial 
in the subclass of labelled set models. □ 



6.3 Set-Theoretic Models 

Let us finally consider the main class of models of interest here, namely set- 
theoretic models. 

A set-theoretic model is one where all set-like values (cf. Definition | 2 I) are 
ordinary, unlabelled sets. The interpretation of = and G is now exactly as in stan- 
dard set theory. Let SAlg('P) be the class of all standard set-theoretic models 
that satisfy V. 

Set-theoretic models can be obtained from labelled-set models by forgetting 
the labels on the sets. This may however map two different labelled sets to the 
same unlabelled set. In particular, the set-theoretic model obtained by forgetting 
labels from S{V) need not be initial in SAlg(P). E.g., suppose that V declares 
two constants of set type, but does not require them to have any members at all, 
so they are interpreted as distinctly-labelled empty sets in S{V); forgetting the 
labels identifies the interpretations of the two constants, preventing homomor- 
phisms to those set-theoretic models of V where they have distinct members. 

Suppose however that one forgets not only the labels, but also the sets them- 
selves! To do this, let us first define the following subset of type terms: 

Definition 3. The P-less types are those type terms that do not contain any 
occurrence of the concrete type- constructor P at all. 

Let us consider then the restriction of by keeping only those constants that 
have a declared P-less type; call the result Q. Notice that we hereby eliminate 
also our predefined type constructors from if in Q. Now taking any model of 
J- and retaining only those values that are members of P-less types gives us an 
ordinary algebraic model for Q. This removes not only all the set-like values, but 
also pairs of set-like values, and functions that return set-like values. 

Even though this removal of all the values involving sets may seem rather 
drastic, the important point is that we retain all values of all types such as N, 
N X N, Seq{N), etc. We even retain the values of function types, e.g., succ G 
N X N -H- N (since we have avoided identifying functions with their graphs, and 
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since the existence of a value does not require the existence of a set that con- 
tains it — in contrast to many-sorted frameworks, where forgetting a sort requires 
forgetting all operations whose profiles include it). 

Now let TZ{V) be the algebraic 5-model obtained as a reduct of S{V) by 
keeping only values of P-less types. 

Proposition 6. TZ(V) is initial in the class of all Q -models arising as reducts 
of models in SAlg('P). 

Proof: (Sketch) We show that the unique homomorphism h from S{V) to an 
arbitrary £ in LSAlg(P) cuts down to a unique homomorphism from TZ{V) 
to the reduct of £. Let x be any value of TZ{V); then there exists a P-less 
type term T such that x holds. Therefore h{x) 

= T^, so h{x) is in the reduct of £. Thus h cuts down to a homomorphism 
between the reducts; a simple induction proves uniqueness. □ 

We leave it to future work to find sufficient syntactic restrictions on specifi- 
cations such that TZ{V) is unaffected by the labels on sets, i.e., adding equations 
between sets to the clauses leaves TZ{V) unchanged. 

7 Algebraic Specification of Set Theory 

Our predefined notation for sets consists merely of the function constants _x_, 
P_, first, second, together with the atomic formulae for membership and 
equality. But we may go much further. We have investigated an extension of 
our framework to allow subset inclusions as atomic formulae. When used as a 
declaration in the head of a specification, an inclusion may indicate a subtype 
relationship, much as in order-sorted algebra P; when used as a clause, it cor- 
responds to a membership implication — but the inclusion may also be used as a 
condition in a clause, in contrast to the implication. The essential properties of 
inclusion are that it is a partial order, preserved by most operations. Polymorphic 
type declarations are generalized to allow both monotonic and anti-monotonic 
dependency on the type variables, giving rise to corresponding axioms for set 
arguments. The definition of a labelled set has also to be generalized to take 
account of an inclusion order on the labels themselves, but in the set-theoretic 
models the interpretation of inclusion is completely standard. 

Further familiar set-theoretic notation can be specified using our framework: 
sets of relations and total functions, set union and intersection, singletons and 
(finite) set comprehensions. Relations are represented simply as partial functions 
to a singleton set; since homomorphisms preserve definedness, they also preserve 
the holding of relations. A set of total functions between two sets is a subset of the 
partial functions between the same sets, but not necessarily containing all such 
functions that happen to be total; a total- function type constructor is provided 
so that each function required to be total can simply be declared as such. Union 
and intersection are specified to have the properties of a distributive lattice, as in 
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unified algebras j^l • A finite set comprehension merely lists the elements that are 
its members, leaving it to initiality to ensure that there are no further members. 

Our intention, however, is not to try to provide a full “Mathematical Toolkit” 
like the ones available for Z and B, but rather to test the limits of our modest 
Horn-clause specification framework. It is admittedly harder to work out the 
various Horn-clause properties of an operation like union, instead of defining it 
extensionally using a disjunctive formula. But such properties are perhaps often 
needed in proofs about sets in any case, so work in this direction should be of 
significant practical relevance. 



8 Conclusion 

We have presented a framework for algebraic specifications with higher-order 
types and set-theoretic models. It embodies significant simplifications, compared 
to our original proposal for such a framework P). We have studied three classes of 
models (algebraic, labelled-set, and standard set-theoretic) and obtained initial- 
ity results. We refer to^] for a discussion of the connections between our original 
proposal and such frameworks as i?™/ G" logics, ETL, and unified algebras. Let 
us here consider the relationship between our work and two other frameworks 
that have been developed in recent years: Meinke’s higher-order initial algebra 
specifications, and Meseguer’s first-order Membership Equational Logic. 

Meinke Hi has studied the theoretical properties and practical applica- 
tions of a different framework with higher-order (non-polymorphic) types and 
set-theoretic models. Although product and (total) function types are allowed, 
power-set types are not, and it appears that it would not be easy to incorporate 
them |51 page 388] . The lack of power-set types precludes considering set mem- 
bership in formulae, and the use of types as values. Higher-order algebras with 
pairing and application operations are considered. The values of the product 
and function types are the standard set-theoretic objects, but, as in our own 
framework, the types themselves are allowed to be subsets of the usual types. 
Higher-order algebras are shown to be isomorphic to first-order algebras that 
satisfy the usual extensionality axiom for functions. Specified axioms are re- 
stricted to conditional equations involving terms of base type. Meinke provides 
a complete finitary (conditional) equational logic for the class of all extensional 
models, but needs an infinitary logic for the construction of initial models as 
quotients of term models. In contrast to Meinke, we have focussed on the power- 
set type, and kept to a finitary Horn-clause logic, getting a useful expressiveness 
but keeping tractability by not requiring extensional equality of sets. 

Meseguer p] has developed Membership Equational Logic (MEL), a first- 
order algebraic specification framework with set-theoretic models. The types are 
abstract types (called kinds), first-order n-ary total function types (for declaring 
operations), and first-order power-set types (called sorts); positive conditional 
clauses are allowed as axioms. Subsort inclusions can be declared. Atomic for- 
mulae are equations between values of the same kind, and memberships of such 
values in sorts. Equality between sets (or functions) is not directly expressible. 
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so extensionality is not an issue for obtaining a complete proof system and initial 
models. 

In an extended version of the present paper we intend to explain our treat- 
ment of subtype declarations, and to give specifications of further familiar set- 
theoretic concepts and notations. We will also investigate sufficient conditions for 
the independence of reducts and labels on sets. We intend also to clarify the rela- 
tionship between our framework and MEL. We believe that any MEL specifica- 
tion can be straightforwardly translated into a presentation V in our framework, 
such that the initial model in MEL corresponds exactly to our initial labelled- 
set model S{V). The image of this translation would identify a sub- framework 
where we could exploit the term-rewriting techniques that have already been 
developed for MEL. It would be interesting then to see how far these techniques 
could be extended to allow more general (e.g., partial, higher-order) specifica- 
tions. Finally, along the same lines as in our previous paper P], we will further 
consider the use of saturation techniques for obtaining a refutationally-complete 
automatic theorem-prover for consequences of our specifications. 
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Abstract. This paper proposes a tool to support reasoning about (par- 
tial) correctness of constraint logic programs. The tool infers a specihca- 
tion that approximates the semantics of a given program. The semantics 
of interest is an operational “call-success” semantics. The main intended 
application is program debugging. We consider a restricted class of spec- 
ihcations, which are regular types of constrained atoms. 

Our type inference approach is based on bottom-up abstract interpreta- 
tion, which is used to approximate the declarative semantics (c-seman- 
tics). By using “magic transformations” we can describe the call-success 
semantics of a program by the declarative semantics of another program. 
We are focused on CLP over finite domains. Our prototype program an- 
alyzer works for the programming language CHIP. 



1 Introduction and Motivation 

In this paper we are interested in supporting reasoning about program correct- 
ness in the context of CLP (constraint logic programming) . Speaking informally, 
a program is correct if it behaves as expected by the user. But user expectations 
are seldom well documented. This paper describes an analyzer that for a given 
CLP program produces a characterization of the form of calls and successes in 
any execution of the program starting from a given class of goals. The user may 
inspect the description produced to see whether it conforms to her expectations. 
We deal with partial correctness, the given program is partially correct w.r.t. 
the obtained description. 

The starting point are well-known verification conditions for partial correct- 
ness of logic programs wrt to a specification, which gives a set of procedure calls 
and a set of procedure successes. (Such verification conditions were proposed in 
EMHSOIiHi; a useful special case was given in |BC8iltlXMM| ). We generalize 
the verification conditions for the case of CLP. 

Generally the conditions are undecidable. But they become decidable for a 
restricted class of specifications. For the case of LP (logic programming) it was 
shown |Boy9ti| that it is sufficient to consider specifications describing regular 
tree sets. In the literature this kind of specifications is often called regular types 
pY 8)911 IL)Z9‘2j . While successes and calls in LP are atoms, their counterpart in 

* This work has been supported by the ESPRIT 4 Project 22532 DiSCiPl. 
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CLP are constrained atoms. Therefore this paper adapts regular types for CLP 
so that one can describe sets of constrained terms and atoms. This includes 
adaptation of certain operations on regular types. 

To compute semantic approximations of programs, we need static analysis 
techniques. We show that the verification conditions for a CLP program P con- 
stitute another CLP program Q whose declarative semantics describes the calls 
and successes. (Such approach is often called “magic transformation”). For this 
purpose we introduce a generalization for CLP of c-semantics ICia79llFLMPg^ : 
this results in more precise descriptions than using the standard I?-model seman- 
tics. We adapt then the technique of Gallagher and de Waal [icdWAi^j indwod) 
of bottom-up abstract interpretation to synthesize an approximation of the c- 
semantics of Q; it also is an approximation of the call-success semantics of P. As 
a side effect we obtain a tool to approximate the declarative semantics of CLP 
programs. 

We are particularly interested in CLP over finite domains (CLP(FD)) (Henb9j . 
especially the language CHIP jt ;os9bj . We have implemented a prototype type 
analysis system for CHIP. It is a major modification of the system described in 
jCdW92llCdW^ . A preliminary version of our work was presented in |nP98b] . 

The use of types, as in our work, to approximate the semantics of programs 
in an untyped language is usually called descriptive typing. Another approach 
is prescriptive typing. In that approach the type information, provided by the 
programmer, influences the semantics of a program. In particular, variables are 
typed and may only be bound to the values from the respective types. Usually 
the programmer is required to provide types for function symbols and/or for 
predicates. Prescriptive typing is a basis of a few programming languages (e.g. 
TypedProlog lOWI . Godel HTTMI . Mercury IMHCllbh . 

Experience with languages like Godel shows that their mechanism of types is 
able to find numerous errors at compile time. This is an immense advantage in 
comparison to finding them during testing and run-time debugging. Our work 
adds a similar potential of static checking to any typeless CLP language (by 
comparing the types obtained from the analysis with the intended ones). 

The paper is organized as follows. The next section summarizes basic con- 
cepts of CLP and presents the declarative and the operational semantics. Then 
we propose a system of regular types for CLP. Section ^ describes the type in- 
ference method used in this work. Then we present an example of type analysis 
for CHIP. 



2 Semantics of CLP 



In this work we employ two semantics of CLP. We need a semantics providing 
information about the form of procedure calls and successes during the execution 
of CLP programs; this is the role of a call-success semantics. The analysis method 
employs magic transformation, so we also need a declarative semantics. Both 
semantics are introduced below in this section. 
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Most of implementations of CLP use syntactic unificationQ. In this paper we 
are interested in CLP with syntactic unification, we believe however that our 
work can be adapted to the “standard” CLP. 



2.1 Basic Concepts 

We consider a fixed constraint domain. It is given by fixing a signature and a 
structure T> over this signature. Predicate symbols of the signature are divided 
into constraint predicates and (non-constraint) predicates. The former have a 
fixed interpretation in T>, the interpretation of the latter is defined by programs. 
Similarly, the function symbols are divided into interpreted function symbols and 
constructors. All the function symbols have a fixed interpretation. It is assumed 
that the interpretations of constructors are bijections with disjoint co-domains. 
So the elements of structure T> can be seen as terms built from some elementary 
values by means of constructor^. That is why we will often call them T>-terms. 
An atomic constraint is an atomic formula with a constraint predicate symbol. 
Throughout this paper by a constraint we will mean an atomic constraint or 
Cl A C 2 or Cl V C 2 or 3a;ci, where ci and C 2 are constraints and a; is a variable. 
A CLP clause is of the form: h <— c, 6i,...,6„ where ft,, 6i,...,6„ are atoms 
(i.e. atomic formulae built up from non-constraint predicate symbols) and c is a 
conjunction of atomic constraints. A CLP program is a finite set of CLP clauses. 



2.2 Declarative Semantics 

The standard least I?- model semantics is insufficient for our purposes. We are 
interested in the actual form of computed answer^ Two programs with the 
same least I?-model semantics may have different sets of computed answers. For 
instance take the following two CLP(FD) programs 

Pi = P(2)-} P 2 = {p{x) G {1,2}.} 

and a goal p{x). Constraint a;G{l, 2} is an answer for P 2 but not for Pi. In order 
to describe such differences, we generalize the c-semantics |( ;ia,79l[F’LM P89| . For 
logic programs, this semantics is given by the set of (possibly non ground) atomic 
logical consequences of a program. The c-semantics for CLP will be expressed 
by means of constrained atoms. 

^ In CLP with syntactic unification, function symbols occurring outside of constraints 
are treated as constructors. So, for instance in CLP over integers, the goal p(4) fails 
with the program |p(2-|-2)<— }, but the goal X^=4,p{X) succeeds (where fb= is the 
constraint of arithmetical equality). 

^ Notice that in many CLP languages function symbols play also the role of construc- 
tors. For instance, the interpretation of 2 -|- 3 may be a number, while that of a -|- 3 
(where a is a 0-ary constructor) is a D-term with the main symbol -I-. 

® D-model semantics can be used to describe CLP with syntactic unification, one has 
to made D to be a a Herbrand domain. (No element of the carrier of such a domain 
is a value of two distinct ground terms). 
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Definition 1. A constrained expression (atom, term, ...) is a pair c[]A of a 
constraint c and an expression E such that each free variable of c occurs (freely) 
in E. 

If j/ is a valuation such that T> ^ ^(c) then v{E) is called an 'D-instance of 

c[]E. 

A constrained expression c'[]E' is an instance of a constrained expression 
c\\E if c' is satisfiable in T> and there exists a substitution 9 such that A' = E9 
and T) \= c' ^ c9 (c0 means here applying 0 to the free variables of c, with a 
standard renaming of the non- free variables of c if a conflict arises) . 

If c\\E is an instance of d\\E' and vice versa then c\\E is a variant of d\\E' 
By the instance-closure cl{E) of a constrained expression E we mean the set 
of all instances of E. For a set S of constrained expressions, its instance-closure 
cl{S) is defined as {JegS E{E). 

Note that, in particular, c0\\E9 is an instance of c\\E and that d\\E is an instance 
of c\\E whenever T> \= d ^ c. The relation of being an instance is transitive. 
(Take an instance c'[]A6* of c[]A and an instance d'\\E0a of d\\E0. AsV d' — > 
da and V \= d ^ c0, we have I? |= c" — > c0a). 

Notice also that if c is not satisfiable then c[]E does not have any instance 
(it is not an instance of itself). 

We will often not distinguish E from true[]E and from c[]E where V \= Vc. 
Similarly, we will also not distinguish c[]A from d^E when c and d are equivalent 
constraints (I? ^ c c'). 

Example 2. a -I- 7, Z -|- 7, 1-1-7 are instances oi X -\-Y , but 8 is not. 

/(A)>3[]/(A)-|-7 is an instance of Z>3[]Z-|-7, which is an instance of Z-l-7, 
provided that constraints f{X)>3 and Z>3, respectively, are satisfiable. 

Assume a numerical domain with the standard interpretation of symbols. 
Then 4 -|- 7 is an instance of A=2-|-2[]A-|-7 (but not vice versa), the latter is an 
instance of Z>3[JZ-l-7. 

Consider CLP(FD) IHen89l . A domain variable with the domain S, where S 
is a finite set of natural numbers, can be represented by a constrained variable 
xeS” [] a; (with the expected meaning of the constraint xGS). 

If Vars{c) % Vars{E) then c[]E will denote {3-vars{E)d)\\E (where 3_y 
stands for quantification over the variables not in V). 

Two notions of groundness arise naturally for constrained expressions. c[]if 
is syntactically ground when E contains no variables. c\\E is semantically ground 
if it has exactly one T>-instance. 

Now we define the c-semantics for CLP with syntactic unification. In the 
next definition we apply substitutions to program clauses. So let us define IP 
as { C6* I C e P, 0 is a substitution }. 

Definition 3 (Immediate consequence operator for c-semantics). Let 

P be a CLP program. Tp is a mapping over sets of constrained atoms, defined 

by 
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Tp{l) = { c\\h I {h^c',bi, . ■ . ,bn) e IP, n>0, 

Cj[]6j e /, for z = 1, . . . ,n, 

C 3 _ Yars(h) 5 ■ ■ ■ 7 ^n), 

V^3c } 

(where Vars{E) is the set of free variables occurring in E). 

Notice that in the definition syntactic unification is used for parameter passing, 
but terms occurring in constraints are interpreted w.r.t. T>. 

Tp is continuous w.r.t. C. So it has the least fixpoint Tp 'I uj = Ufco("^p)*(0)- 
By the declarative semantics (or c-semantics) M{P) of P we mean the instance- 
closure of the least fixpoint of Tp-. 

M{P) = cliT^^oj). 

Speaking informally, cl is used here only to add new constraints but not new 
(non-constraint) atoms: As Tp'[uj is closed under substitution, for every c\\u G 
M{P) there exists a c'[]u £ Tp|w such that I? |= c ^ c'. 

Example 4. Consider programs Pi and P 2 from the beginning of this section. 
M{Pi) = {p(l),p(2)}. Tp^^uj contains p(l), p(2) and xG{l,2}\\p{x). (It also 
contains variants of the latter constrained atom, obtained by renaming variable 
x). M{P 2 ) contains additionally all the instances of a;G{l, 2}[]p(a;), like y=l[]p(y). 

The traditional least T>-model semantics and the c-semantics are related by 
the fact that the set of T>-instances of the elements of M{P) is a subset of the 
least I?-model of P. If we take a least T>-model semantics for CLP with syntactic 
unification (where I? is a Herbrand domain) then the set of T>-instances of the 
elements of M{P) and the least I?-model of P coincide. 



2.3 Call-Success Semantics 

We are interested in the actual form of procedure calls and successes that occur 
during the execution of a program. We assume the Prolog selection rule. Such 
semantics will be called the call-success semantics. 

Without loss of generality we can restrict ourselves to atomic initial goals. 
Given a program and a class of initial goals, we want to provide two sets of 
constrained atoms corresponding to the calls and to the successes. For technical 
reasons it is convenient to have just one set. So for each predicate symbol p 
we introduce two new symbols and p*; we will call them annotated predicate 
symbols. They will be used to represent, respectively, call and success instances 
of atoms whose predicate symbol is p. For an atom A = p(t), we will denote 
*p{t) and p*{t) by *A and A* respectively. We will use analogous notation for 
constrained atoms. (If A = c\\p{i) then *A = c\\*p{i), etc). 

The call-success semantics is defined in terms of the computations of the pro- 
gram. For a given operational semantics, which specifies what the computations 
of a program are, one defines what are the procedure calls and the procedure 
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successes of these computations. For logic programs and LD-resolution this is 
done for instance in EHHHl. It is rather obvious how to generalize it to CLP, 
we omit the details. 

Definition 5. Let P be a CLP program and Q a set of constrained atoms. Their 
call-success semantics CS{P,Q) is a set of constrained atoms (with annotated 
predicate symbols) such that 

1. c[]*p(t) S CS{P,Q) iff there exists an LD-derivation for P with the initial 
goal in Q and in which c[]p{t) is a procedure call; 

2. c[]p*{t) G CS{P,Q) iff there exists an LD-derivation for P with the initial 
goal in Q and in which c[]p(t) is a procedure success. 

We will characterize the call-success semantics of a program P as the declara- 
tive semantics of some other program P^^ . In logic programming this approach 
is often called “magic transformation”. Program P'^^ can also be viewed as 
the verification conditions of the proof method of or an instance of the 

verification conditions of the proof method of jl )M88) . 

Proposition 6. Let P be a CLP program and Q a set of constrained atoms. 
Then 

d{cs{p,g)) = d {{T^asng)) 

where P^^ is a, program that for each clause H ^ c, Bi, , Bn from P contains 
clauses: 

c, 'H *Pi 

c,^H,Bl 
c,'H,Bl 

PROOF (outline) One shows that all the procedure calls and successes occurring 
in (a prefix of) an SLD-derivation of length j are in {Tpcsy (g)- Conversely, for 
any member of {Tpcsy (g) the corresponding call/success occurs in a derivation. 
Both proofs are by induction on j. □ 

Assume that the set of initial constrained goals is characterized by a CLP 
program P': g = { A \ *A G M{P') }. Assume that no predicate p* occurs in P' . 
From the last proposition it follows that the declarative semantics of P'^'® U P' 
describes the call-success semantics of P: 

cl{CS{P, g)) = M{P^^ UP') DA 

where A is the set of all constrained atoms with annotated predicate symbols. 
(The role of the intersection with A is to remove auxiliary predicates that may 
originate from P'). 
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3 Types 

We are interested in computing approximations of the call-success semantics of 
programs. A program’s semantics is an instance closed set of constrained atoms, 
an approximation is its superset. The approximations are to be manipulated by 
an analysis algorithm and communicated to the user. 

We need a suitable class of approximations and a language to specify them. 
We extend for that purpose the formalism of regular unary logic programs 
used in LP to describe regular sets of terms/ atoms 0 We call such sets regular 
(constraint) types. So we use (a restricted class of) CLP programs and their 
declarative c-semantics to describe approximations of the call-success semantics 
of CLP programs. 



3.1 Regular Unary Programs 

Our approach to defining types is a generalization of canonical regular unary logic 
(RUL) programs USUI. We begin this section with presenting RUL programs. 
Then we introduce our generalization, called RULC programs. We conclude with 
several examples. 

To define types we will use a restricted kind of programs, with unary predi- 
cates only. In such a program R a predicate symbol t is considered to be a name 
of a type and := { c[]u | c[]t{u) G M{R) } is the corresponding type. 

Definition 7. A (canonical) regular unary logic program (RUL program) is 
a finite set of clauses of the form: 



^0 (/* (^1 j ■ ■ • : ^n) ) ^ (^1 ) 5 ■ ■ ■ : (^n ) ■ (1) 

(where n > 0 and xi, . . . ,Xn are distinct variables) such that no two clause heads 
have a common instance. 

Notice that the types defined by a RUL program are sets of ground terms. 
(For such programs there is no difference between the c-semantics and the least 
Herbrand model semantics). 

RUL programs were introduced in HSni]- In they are called re- 

duced regular unary-predicate programs. The formalism defines tuple distribu- 
tive IL.Vlis84l HlSyil sets of terms. So if /(ui,U 2 ) and f{u[,U 2 ) are members of 
such a set then also /(ui, and f{u{,U 2 ) are. (For exact definitions the reader 
is referred to flvlis84ir71??TT| l 

We will write F[xi, . . . ,Xn]to stress that F is a formula such that Vars{F) C 
{xi , . . . , Xn\- F[u \, . . . , Un] will denote F with each Xi replaced by the term Ui. 



^ The formalism is equivalent to deterministic root-to-frontier tree automata issn3, 
to (deterministic) regular term grammars (see e.g. |.DZ92j and references therein) 
and to type graphs of PEsaEisnsi- 
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Definition 8. A constraint c\x] in a constraint domain V will be called a reg- 
ular constraint if there exists a RUL program R and a predicate symbol t such 
that for any ground term u, V |= c[u] iff u S Mr- Constraint c will be called 

the corresponding constraint for t and R. 

Notice that a constraint corresponding to a RUL program may be not regular 
(if T>' is a non Herbrand domain). For instance consider domain T>' of integers, 
where + is an interpreted function symbol. Take a program R = {t(4).}. The 
set of terms satisfying the corresponding constraint contains for instance 1 + 3 
and 3+1 but not 3 + 3. So it cannot be described by a RUL program. 

The next definition provides a CLP generalization of RUL programs. From 
now on we assume that the constraint domain T> contains the regular constraints. 

Definition 9. By an instance of the head of a clause h <— c, 6i, . . . (where 
c is a constraint and 6i, . . . , are non constraint atoms) we mean an instance 
of c[]/i. A regular unary constraint logic program (RULC program) is a finite 
set of clauses of the form m or of the form 

to{x) ^ c[x\. (2) 

(where c[x\ is a regular constraint) such that no two clause heads have a common 
instance. 

Example 10. The type t described by the RUL program {t(2)., t(3)., f(4). } 
is the set {2, 3, 4} of ground terms. 

Consider CLP(FD) To describe type t extended by a domain vari- 

able, with {2,3,4} as its domain, we use a regular constraint x€{2,3,4} in a 
RULC program i?' = { t'{x) <— xG{2, 3,4} }. Indeed, = cI{xG{2, 3, 4} [] x). 

Example 11. A type of lists with (possibly nonground) elements satisfying a 
constraint c can be expressed by the following RULC program R: 

list{[]) ^ . 

nst([a;|a;s]) ^ elem{x),list{xs). 
elem{x) ^ c[x] 

The c-semantics of this program is 

M{R) = cl ({ c[a;i], . . . , c[xn] [] list{[x\, . . . , x„]) | n > 0 } U { c[x] Welem{x) }) . 

Let Q be a RUL program such that c[x\ is the corresponding constraint for 
elem and Q. Replacing in R the last clause by (the clauses of) Q results in a 
RUL program R' describing the set of ground lists from the previous type. 

Let ciist[x] be the corresponding constraint for list and R' . A type of possibly 
non-ground lists with elements of the type elem can be defined by a one clause 
RULC program R" 

list{x) ^ cust[x\. 

The type contains unbound variables whose further bindings are restricted to be 
lists (i.e. constrained variables of the form cust\y\\\y)- It also contains all their 
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instances. Thus our approach makes it possible to express prescriptive types like 
those of programming language Godel rrrran . 

Comparing the three list types presented here, we obtain C C 



Example 12. The type of all ground terms (over the given signature) is 
defined by predicate ground and a (RUL) program containing the clause 
ground{f{x\, . . . ,Xn)) ^ ground(xi), . . . , ground(xn) for each function symbol 
/ of arity n > 0. 

The type of all constrained terms is defined by predicate any and program 
{ any{x) <— true }. 

3.2 Operations on Types 

In type analysis some basic operations on types are employed. One has to per- 
form a check for type emptiness and inclusion. One has to compute the intersec- 
tion and (an approximation of) the union of two type^. One has to find type 
{ Cl, . . . ,c„[]/(ui, ...,Un) I G pil, f = 1, . . . ,n} for given types h, 

and for a given type t and an i find type { {^-vars{ui)c)\\ui \ c[]/(ui, . . . ,Un) G 
pj }. These operations for RULC are generalization of those for RUL [CdW94j . 
and are described in pP98aj . Here we present only an example. To find the 
intersection of the types ti,t 2 defined by 

ti{f{xi, . . .,x„)) ^ ri(a;i), . . . ,r„(a;„) 
t 2 {x) <— c[x] 



we construct clauses 

(U n t 2 ){f{xi, x„)) ^ (ri n Si)(a;i), . . . , (r„ n s„)(a;„). 
si(a:i) ^ c[/(a;i, . . . ,a;„)]. 

is^n) ^ ^ — {xn} ^[f ; • ■ • ; ^n)] ■ 

Here r □ s is a new type, it is the intersection of types r, s. si, . . . , are new 
types. Notice that c[/(a;i, . . . ,Xn)] is a regular constraint. 

3.3 Regular Programs as an Abstract Domain 

In this section we present how RULC programs are used to approximate the 
semantics of CLP programs. We also show that it is a rather unusual case of 
abstract interpretation, as most of the commonly required conditions mag are 
not satisfied. 

In our approach, the concrete domain C is that of the semantics of programs. 
So C is the set of sets of constrained atoms over the given language. (We do not 

® The union of two types defined by RULC programs may be not definable by RULC 
programs. 
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need to make the domain more sophisticated by removing from C those elements 
that are not the meaning of any program). (C, C) is a complete lattice. 

We want to approximate sets of constrained atoms by RULC programs. Fol- 
lowing |(ldW92ll(ldW94| we introduce a distinguished (unary) predicate symbol 
approx. The type corresponding to approx in a RULC program R is understood 
as the set of constrained atoms specified by R. Notice that the arguments of 
approx are treated both as atoms and as terms, we use here the ambivalent syn- 
tax IAR95I . So R approximates a set / of constrained atoms iff / C ^approx^j^. 
We will call such a program R a regular approximation of /. 

Example 13. Let P be the following CLP(R) program 

rev{[],Y,Y). 

rev{[f{V,X)\T],Y,Z) ^V*V + X*X<9, rev{T,Y, [f{V,X)\Z]). 

Then the following program is a regular approximation of M{P). 
approx{rev{X , Y, Z)) ^ tl{X), any (Y), any (Z). 

m])- 

tl([A|Xs]) ^ t2(A), tl(As). 
t2{f{X,Y))^t5{X), t3(P). 
t3{X) < 3 < A, A < 3. 

So the abstract domain A is the set of RULC programs (over the given 
language). The concretization function 7 : A — > C is defined as the meaning of 
approx: 

j{R) := lapproxjj^. 

The ordering of the concrete domain induces the relation A on A: 

R^R' iff 7 (R) C-f(R'). 

A is a pre-order but not a partial order. 

This is a case of abstract interpretation, in which an abstraction function 
does not exist. The reason is, roughly speaking, that there may exist an infinite 
decreasing sequence of regular approximations (of some / G C) which does not 
have a g.l.b. in AFl im^ . 

We want also to mention that the abstract immediate consequence function 
Tp , defined later on and used in type inference, may be not monotonic. So 
its least fixpoint may not exist. The properties outlined above hold already for 
the appr oach of fCdW92L ICdW94j: this contradicts some claims of |CdW92l 
ICdW94j . 

® This property also holds when the pre-order (A, ^) is replaced by the induced 
partial order on the set A/^. Also, using another natural pre-order on C (i? C R' 
iff M(R) C M{R')) does not improve the properties discussed in this section. 
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3.4 Types for CLP(FD) 

The concept of finite domains was introduced to logic programming by EEHni- 
We will basically follow this framework, including the terminology. So within this 
section “domain” stands for a finite domain in the sense of iHEHni- We assume 
that a domain is a finite set of natural numbers (including 0). This is the case 
in most of CLP(FD) languages. To any domain S there corresponds a domain 
constraint a; S S', with the expected meaning. Usually a variable involved in such 
a constraint is called a domain variable. 

In our type analysis for CHIP we use some types that correspond to restric- 
tions on the form of arguments of finite domain constraint predicates. We need 
the type of natural numbers, the type of integers, the type of finite domains (the 
l.u.b. of the types of the form c/(xGS[]a;)), the type of arithmetical expressions 
and its subset of so called linear terms. 

Defining the first three of them by a RULC program would require an infinite 
set of clauses. So we extend RULC programs by three “built-in” type^. We 
introduce unary predicate symbols nat, neg and anyfd, which cannot occur in the 
left hand side of a RULC clause. We assume that (independently from a RULC 
program) [not]] is the set of all non-negative integer constants, \neg\ is the set of 
all negative integer constants and \anyfd\ is cl{{ | S' C N, S is finite })H 

We allow clauses of the form t{x) ^ builtin{x) to occur in RULC programs 
(where builtin is one of the three symbols). By an instance of the head of such 
clause we mean any element of ^builtin^. 

The type int of integers and the type of arithmetical expressions are defined 
by means of these special types by a RULC program. The type of linear terms 
cannot be defined by a RULC program. (For instance, for domain variables x, y 
and a natural number n, it contains x * n and n * y but not x * y). So we use a 
RULC description of a superset of it. 

4 Type Inference 

The core of our method is computing a regular approximation of the c-semantics 
of a program. It is described in jl )P98aj . here we present an outline. Our ap- 
proach is based on it can be seen as a bottom-up abstract 

interpretation. We use a function Tp : A ^ A, which approximates the immedi- 
ate consequence operator Tp. The program semantics M{P) is approximated by 
a fixpoint of Tp. A technique of widening, similar to that of Enna, is applied 
to assure that a fixpoint is reached in a finite number of steps. 

For a CLP program P and an RULC program R, Tp{R) is defined as 

Tp{R) = norm! i?H solve{C, R) 

V CeP 

^ Alternatively we can assume that the type of integers is finite. A similar solution is 
taken in constructing a semantics for CLP with interval constraints jHC )97] . 

® If all the finite domains are the subset of some maximal domain 0..max, then this 
type may be defined by a RULC clause anyfd{x) <— a: € 0..max. 
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Here norm |(tH W04l II )P08a,| is a widening function; R ^ norm{R) for any R. 
For RULC programs Q and Q' , QUQ' is a RULC program such that Q ^ QilQ' 
and Q' ^ Q 11 Q'. It is computed using the type union operation of Sect. E2 

The main function is solve , which gives a regular approximation ofT^^j {^{R)): 
T^C}ili^)) — l{solve{C, R)). Due to lack of space we only briefly outline its def- 
inition. It is based on that of [(IdW02l l(IdW04j . The main difference is that 
we take into account the constraints occurring in clause C. Let C = h ^ 
c, 6i, . . . , bm, where c[x\, . . . , Xn] is a conjunction of elementary constraints. We 
approximate c by computing a “projection” of c. The projection consists of one 
argument constraints ci[xi], . . . ,Cn[Xn] such that 

R 1= c[xi , . . . , Xn] ^ Cl [xi] , . . . , Cn [Xn] ■ 

It is computed using the constraint solver of the underlying CLP implementation 
(or possibly some more powerful solver). So the types deflned in the RULC 
program R' = { U{xi) ^ Ci[xi] \ i = 1, . . . , n } approximate the sets of possible 
values of the variables in c. Now clause C = h ^ ti{x \)^ . . . , tn{xn), bi, ... ,bm is 
submitted as an argument to the function solve of IKTd W 921 ICd W 941 . together 
with RUR' as the second argument. It computes an approximation of T^Q,^{'y{RU 
R')), thus of T[^j( 7 (i?)). 

As Tj)^j( 7 (i?)) C j (solve {C, R)) and R ^ norm(R), we have that Tp ap- 
proximates the concrete semantic function Tp\ 

and thus Wn Tp 'I n C ^{Tp ] n). 

Due to widening, a fixed point of Tp is found in a finite number of iterations 
(conf. ICdWf)4l hT^tn = T;j^t w, for some n. We call it the computed fixpoint. 
Function Tp is in general not monotonic w.r.t. ^ (as norm is not monotonic 
and n is not required to be). Thus we cannot claim that the computed 
fixpoint is the least fixpoint. 

The result Tp f u! of the computation approximates M{P) as M{P) = 
lfp{Tp) C 7(T^ T w) = lapproxjpA^^ 

5 Examples 

This section presents a type analysis of two example programs. The user interface 
of our prototype analyser employs, instead of RULC programs, a more convenient 
formalism. So we explain it before coming to the examples. 

To provide a more compact and more readable notation, we use regular term 
grammars with constraints. They can be seen as an abbreviation for RULC pro- 
grams. A clause to(f(xi,...,Xn)) <— ti(a;i), . . . , t„(a;„) is represented by the 
grammar rule to /(U, ■ • • , tn), a clause t(x) <— c[x] by the rule t — > c[x\. 

The formalism includes parametric types. It uses type symbols of arity > 0 
and type variables; terms built out of them are called type terms. A paramet- 
ric grammar rule is of the form t(ai, . . . , au) /(U, • • ■ , tn) where t is a k- 
ary type symbol, tj are type terms and are type variables. (One requires 
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that Vars{ti , . . . ,tn) Q {ai , . . . , ak})- Such a rule stands for a family of RULC 
clauses represented by the (non parametric) rules t(si, . . . , s^) — > f(ti , . . . , t^9, 
where si are arbitrary types and 6 is the substitution {ai/si \ i = 1, . . . , A:}, y 
For example, rules 

list{a) [] list{a) [a\list{a)] 

correspond to a family of RULC programs 

Zzst(t)([]). Iist{t){[xi\x 2 \) ^ t{xi),list(t){x 2 )- 

which for any type term t define the type list(t) of lists of elements of type t. 

The user may declare some types by providing (possibly parametric) gram- 
mar rules 0 Whenever possible, the system uses the declared types in its output. 
Thus the output may be expressed (partially) in terms of types familiar to the 
user; this can substantially improve the readability of the results of the analysis. 
For instance, assume that the system derives a type t with the corresponding 
fragment of a RULC program: 

t{[]). t{[x\y]) ^ nat{x),t{y). 

Then, instead of displaying the RULC clauses (or actually the corresponding 
grammar) the system informs that the type is list(nat). Notice that the system 
does not infer parametric polymorphic types, the polymorphism comes only from 
user declarations. 

As the first example we use the following program, which solves the well- 
known N-queens problem. The current version of our analyzer treats all the finite 
domains in a uniform way, namely as anyfd (the types of the form cl{x € S')] a:) 
are not yet implemented). 

: - entry nqueens (nat , any) . 

nqueens(N,List) length(List ,N) , List::l..N, 

constraint_queens (List) , labeling(List) . 

labeling ( [] ) . 

labeling ( [X I Y] ) indomain (X) , labeling(Y) . 

constraint_queens ( [] ) . 

constraint_queens ( [X I Y] ) safe(X,Y,l), constraint_queens (Y) . 
safe(_, [],_). 

safe(X, [YiT] ,K) noattack(X, Y,K) , K1 is K+1, safe(X,T,Kl) . 

® So now the predicate symbols of RULC are type terms. We allow only such grammars 
for which no two corresponding clauses have a common head instance (conf. Def. P). 
We should deal with finite RULC programs. But the program corresponding to a set 
of parametric rules may be infinite. So a condition on grammars is imposed: in the 
obtained RULC program any type should depend on a hnite set of types. For details 

see inEnHijinzna. 

The widely used type list(a), declared as above, is predefined in the system. 
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The entry declaration indicates the top goal and its call patterns for the 
call-success analysis. Types inferred by the system are presented below. 



call : nqueens (nat , any) 
success : nqueens (nat , list (nat) ) 



call 


: labelingdist (anyf d) ) 


success : 


: labelingdist (nat) ) 


call 


: constraint_queens (list (anyf d) ) 


success : 


: constraint_queens (list (anyf d) ) 


call 


: safe (anyf d, list (anyf d) , int) 


success : 


: safe (anyf d, list (anyf d) , int) 



call : noattack(anyf d, ctnyf d, int) 
success : noattack(anyf d, atnyf d, int) 



Assume now that the second clause defining safe/3 contains a bug: 

safe(X, [Y|T] ,K) :-noattack(X,Y,K) ,K1 is K+l,safe(X,t,Kl) ."Z bug here 

Types inferred by the analyzer look like follows (we show only those which differ 
from ones generated previously): 

success : nqueens (nat, tl02) 
tl02 — > [natItYS] 
tl02 — > [] 
t78 — > [] 



call : labeling(t90) 
t90 — > [] 
t90 — > [anyfdItYS] 
success : labeling(tl02) 



success : constraint_queens (t90) 



call : safe(anyfd,t71,int) 
t71 — > [] 

t71 — > [anyf d I list (anyf d)] 
t71 — > t 

success : safe(anyfd,t78,int) . 

The types inferred are obviously suspicious and should be helpful in local- 
izing the bug in the program. For instance, the second argument of success of 
nqueens/2 (type tl02) is an empty list or a one-element list of naturals. A sim- 
ilar problem is with constraint_queens. The problem may be traced down to 
safe/3 which succeeds with the empty list as the second argument. 
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The next example illustrates inferring non-trivial constraints in the approx- 
imation of a program. The predicate splits (Xs,Ls,Gs) splits an input list Xs 
of finite domain variables (or natural numbers) into lists of elements less and 
greater or equal to 5 (Ls and Gs respectively). 

: -entry splits (list (anyfd) , any , any) . 
splits ( [],[],[]). 

splits ( [XI Xs] , [XI Ls] ,Gs) X #< S, splitS(Xs,Ls,Gs) . 
splitS([X|Xs] ,Ls, [XiGs]) X #>= S, splitS(Xs,Ls,Gs) . 

The inferred types are presented below. 

call : splits (list (anyf d) , any, any) 
success : splitS(list (anyfd) , list (tl) , list (t2) ) 
tl — > X #< S 
t2 — > X #>= S 

6 Conclusions and Future Work 

In this paper we propose a method of computing semantic approximations for 
CLP programs. Our aim is a practical tool that would be helpful in debugging. 
We are mainly interested in CLP(FD), particularly in the language CHIP. Our 
approach considers the (operational) call-success semantics and the (declarative) 
c-semantics. 

As a specification language to express the semantic approximations we pro- 
pose a system of regular types for CLP, which is an extension of an approach 
used for logic programs. The types are defined by (a restricted class of) CLP 
programs, called RULC programs. We present an algorithm for computing regu- 
lar approximations of the declarative semantics. This algorithm can also be used 
for approximating the call-success semantics, due to a characterization of this 
semantics by the c-semantics of a transformed program. 

We have adopted a regular approximation system (described in |CdW92l 
ICdWf)4| l to constraint logic programming over finite domains. The current ver- 
sion analyzes programs in the language CHIP. We expect it to be easily portable 
to work with other CLP languages, as we have isolated its parts responsible for 
the built-ins of CHIP. The prototype has been implemented in CHIP and has 
been ported to SICStus Prolog and CIAO jcrmT] . The latter implementation 
is a part of an assertion-based framework for debugging in CLP jFHIVI9S] . 

The system presents types to the user as regular term grammars, which are 
more easily comprehensible than RULC programs. This provides a restricted but 
useful kind of polymorphism (conf. Section El) 

A subject for future work is obtaining more precise analysis by using a more 
sophisticated treatment of constraints. We also plan to evaluate the method 
experimentally by applying it to non-toy programs. 

Another direction of further work is relating our technique to abstract de- 
bugging [K M ; M V . A clear relationship between these two techniques should be 
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established. The first step is a diagnosis method [( h )P08II( h )M PO^ which finds 
the clauses responsible for a program being incorrect w.r.t. a type specification. 
That work uses the type system presented here as the class of specifications. 
Computing an approximation of Tq, as discussed in Sect. ^ is at the core of the 
diagnosis algorithm. 
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Abstract. We show how to define fold operators for abstract data types. 
The main idea is to represent an ADT by a bialgebra, that is, an alge- 
bra/coalgebra pair with a common carrier. A program operating on an 
ADT is given by a mapping to another ADT. Such a mapping, called 
metamorphism, is basically a composition of the algebra of the second 
with the coalgebra of the first ADT. We investigate some properties of 
metamorphisms, and we show that the metamorphic programming style 
offers far-reaching opportunities for program optimization that cover and 
even extend those known for algebraic data types. 



1 Introduction 

Expressing recursion over data types in terms of catamorphisms, or fold oper- 
ations, has been successfully employed by Bird and Meertens to calculate pro- 
grams from specifications piEq. They formulated laws expressing algebraic 
identities of programs and used them to derive algorithms in a sequence of sim- 
ple transformation steps. Their work was primarily focused on lists, but it has 
been extended to regular algebraic data types |2D5 123 E3| : a data type is given 
by a morphism which is a fixed point of a functor defining the signature of the 
data type. Since fixed points are initial objects, homomorphisms to other data 
types are uniquely defined, and this makes it possible to specify a program on 
a data type by simply selecting an appropriate target data type. Along with 
these generalizations a lot of work on program optimization has emerged that 
essentially relies on programs being expressed as catamorphisms, for example, 
111123123113 El- The strong interest in program fusion is certainly due to the 
fact that catamorphisms encapsulate a class of recursion over data types that 
enjoys some nice mathematical properties. 

Besides the original idea of having a framework for calculating programs 
from their specifications, avoiding general recursion is also important from a 
programming methodology point of view. For instance, Meijer et al. [22| stress in 
their often cited paper the aspect that using folds in functional languages is truly 
in the spirit of the structured programming methodology. Similar beliefs, that 
is, avoiding general recursion and using a fixed set of higher order functions, had 
been already emphasized before by Backus P3| . The programming languages CPL 
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m and Charity m are designed thoroughly on the basis of this programming 
methodology. 

It is striking that the categorical framework has been applied only sporadi- 
cally to data types that are not just given by free term structures, such as ab- 
stract data types. Although the catamorphism approach principally works also 
for sub-algebras that satisfy certain laws, one cannot map into algebras with less 
structure PHD]. This innocent looking restriction means a rather severe limita- 
tion of expressiveness: for instance, such a simple task as counting the elements 
of a set cannot be expressed by a catamorphism. 

Therefore we propose to base mappings between ADTs not just on construc- 
tors, but on explicitly defined destructors. Formally, this means to represent an 
ADT by a bialgebra, that is, a pair (algebra, coalgebra) with a common car- 
rier, and to define a mapping between two ADTs D and D' by composing the 
algebra of D' with the coalgebra of D. This offers much freedom in specifying 
ADTs and mappings between them. It also provides a new programming style 
encouraging the compositional use of ADTs. The proposed approach essentially 
uses existing concepts, such as algebra and coalgebra, on a higher level of ab- 
straction, and this is the reason that all the optimization rules developed for 
algebraic data types are still valid in this extended framework. But in addition 
to this, the “programming by ADT composition” style offers some new optimiza- 
tion opportunities: for example, since intermediate ADTs are intrinsically used 
in a single-threaded way, a compiler can automatically insert efficient imperative 
update-in-place implementations for them. 

The rest of the paper is structured as follows: after reviewing the categorical 
definition of algebraic data types in Sect.|3 we show how to represent abstract 
data types as bialgebras in Sect. 0 In Sect. 0we introduce metamorphisms as 
mappings between ADTs, we provide various example programs, and we show 
some basic properties of ADTs and metamorphisms. In Sect. 0we investigate 
several aspects of program transformation. Related work is described in Sect. 0 
and conclusions follow in Sect. 0 

2 Data Types and Homomorphisms 

In this section we briefly review the categorical framework for modeling data 
types. More detailed introductions are given, for example, in m Specific in- 
formation about coalgebras can be found in na EH, and hylomorphisms are 
explained and used in E2] ES ■ We assume some basic knowledge about cat- 
egory theory (an understanding of category, functor, and natural transformation 
should be sufficient), for an introduction see, for example, | 2 | or 

In Sect. tz. II we briefly recall the notion of algebraic data types of functional 
languages. In Sect. 12.21 we show how to express signatures by functors. This is the 
basis for the definition of algebras and coalgebras in Sect. XZ.'Zl We demonstrate 
how algebra homomorphisms can express programs on data types in Sect. 
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2.1 Algebraic Data Types in Functional Languages 

In modern functional languages, like ML or Haskell, data structures are repre- 
sented by terms that are built by typed constructors. All constructors of one type 
are introduced in one definition, and the defined type is called an algebraic data 
type. For example, a term representation for natural numbers and a polymorphic 
list data type are given by: 



nat = Zero \ Succ nat 
list A = Nil I Cons{A, list A) 

This introduces the four constructors Zero : 1 — > nat, Succ : nat — *■ nat, Nil : 
1 — > list A, and Cons : A x list A list A, where 1 denotes the unit type 
that contains just the one element (), that is, constants of type A are identified 
with functions of type 1 — > A. Thus, a data type can be viewed as an algebra 
whose operations are given by the data type constructors. Note that we consider 
non-strict constructors. 



2.2 Polynomial Functors 

In this paper the default category C is CPO, whose objects are complete par- 
tially ordered sets with a least element _L and whose morphisms are continuous 
functions. Working in CPO guarantees the existence of least fixed points for 
certain recursive equations needed in Sect. E3 and in Sect.0 The terminal ob- 
ject in C is the one-element type 1. In the sequel we consider only endofunctors 
on C (that is, functors from C to C) which are built by the four basic functors I 
(identity), A (constants), x (product), and -|- (separated sum). 

The effect of the identity functor I on types and functions is I A = A and 
I f = f, and the constant functor for type A, denoted by A, operates on types 
and functions hj A B = A and A f = id^ where id^ denotes the identity 
morphism on A. For an object x we denote its constant function by x, that is, 
X y = X. The product of two types A and B and its operation on functions is 
defined as: 



Ax B = {(x,y) \ X e A,y e B} 

(/ X g) (x,y) = (f x,gy) 

Related operations are left and right projection and tupling (also called split): 

'xi (x,y) = X 
7T2 (x,y) = y 
{f,g) X = (f x,g x) 



Finally, the separated sum of two types A and B and its operation on functions 
is defined as: 
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A + B = {1} X AU{2} X SU{_L} 
if + g) (l,a;) = (1,/ x) 

U + g) (2,y) = (2,g y) 

U + g) T = T 

Related operations are left and right injection and case analysis (also called 
June): 

L\ X = (1, x) 

i2V = (2,y) 

[f,g\ (l,a;) = f X 

[f,g] (2,y) = g y 
[f,g] ^ ^ 

The use of seperated sum is convenient for the treatment of, for example, infi- 
nite lists. However, algebras for, say, natural numbers, are usually better mod- 
eled with coalesced sum (which identifies bottom elements). These issues are 
discussed in some detail in PIEl. 

Separated sum and product are bifunctors that map from the product cate- 
gory C X C to C. Fixing one parameter of a bifunctor yields a monofunctor: the 
(left) section of a bifunctor F and an object A is defined as Fa{B) = F{A, B). 
Thus, for example, x^ is a monofunctor which takes an object B and maps it 
to the product Ax B. 

Now polynomial functors are inductively defined as follows: (i) I and A are 
polynomial functors, and (ii) if F and G are polynomial functors, then so are their 
composition FG, their sum F+G, and their product FxG where: (F+G){X) = 
F{X) + G{X) and {F x G){X) = F{X) x G{X) (for both types and functions 
X). Two examples of polynomial functors are: 

N = l + I 
La — 1. “t“ X X I 

Here La is actually a left section of a bifunctor. 

(A note on operator precedence: function application binds strongest, and x 
binds stronger than -I-, which in turn binds stronger than composition “o”.) 

2.3 Algebras and Coalgebras 

Let endofunctor F : C ^ C represent a signature. Then an F-algebra is a mor- 
phism a : F{A) — > A. Object A is called the carrier of the algebra. We can 
extract the carrier of an algebra with the forgetful functor U, that is, U{a) = A. 
Dually, an F-coalgebra is a morphism a : A — > F{A). An F-homomorphism from 
algebra a : F(A) ^ A to algebra ft : F{B) — s- R is a morphism : A ^ R in 
C that satisfies h o a = ft o F{h). As a shorthand for this condition we write: 
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h : a P- The category of i^-algebras Alg(i^) has as objects F-algebras 
and as arrows i^-homomorphisms. (Composition and identities in Alg(_F) are 
taken from C.) Dually, CoAlg(i^) is the category of F-coalgebras with F- 
cohomomorphisms (where a morphism h : A ^ B from coalgebra a : A — > F(A) 
to coalgebra P : B ^ F{B) is a cohomomorphism if it satisfies F{h) oa = poh). 

If F is a polynomial functor on CPO, Alg(F) has an initial object, which is 
denoted by inp- This means that inp '■ F{T) ^ T is an F-algebra with carrier 
T = U{inp) (the “T” reminds of “term algebra”). Dually, CoAlg(F) has a 
terminal object, denoted by outp, and outp : T — > F{T) is an F-coalgebra with 
the same carrier T as inp. Moreover, inp and outp are each other’s inverses, 
and they thus define an isomorphism T = F{T) in CPO. 

Now the definitions of Sect. 12. 1 1 written categorically as: 

[Zero^Succ\ : N (nat) ^ nat 
[Nil, Cons] : LA{Ust A) list A 

with N (nat) = 1 + nat and LA{Ust A) = 1 + A x list A, define the data types 
as initial objects in the category of A-algebras, respectively, L^-algebras, that 
is, nat= [Zero, Succ\ := mjv and list A = [Nil, Cons] := 

With sums we can also define conditionals. First, we define a type for booleans 
by: 

bool = True [ False 

(which is just syntax for bool = [True, False] := in b with B = 1 + 1.) Now for 
each predicate p ■. A ^ bool a morphism p? : A — > A + A is defined by m-- 

( F if p{a) = + 
p?(a) = I L\ a if p(a) = True 
[ i 2 a if p{o) = False 

The conditional is then simply defined by if p then / else g = [f,g] op?. (A 
more detailed categorical exposition of this can be found in 0.) 

Those coalgebras that are the inverses of initial algebras defined by algebraic 
data type definitions just undo the term construction. So we can think, for 
example, of outpj and outp a being defined by: 

outp; = An. case n of 

Zero ( 1 , 0 ) 

I Succ{m) 

outpA = AZ.case I of 

mi ^( 1 , 0 ) 

I Cons{x,V) {2,{x,l')) 

2.4 Catamorphisms, Anamorphisms, and Hylomorphisms 

Initial and terminal objects are unique up to isomorphism, and they are charac- 
terized by having exactly one morphism to, respectively, from, all other objects. 
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This means that for each F-algebra a in the category Alg(T") there is exactly 
one f-homomorphism h : inp ot. Since h is uniquely determined by a, it 
is conveniently denoted by ([a])F, or just ([a]) when F is clear from the context, 
and h is called a catamorphism m- Accordingly, for each F-coalgebra a in the 
category CoAlg(F) there is exactly one F-cohomomorphism h : a outp, 
which is denoted by [a] p (or just [a] ) and which is called an anamorphism. 

Programs mapping from an initial algebra to another data type can be suc- 
cinctly expressed as catamorphisms. An F-catamorphism ([a]) can be thought of 
as a function replacing the constructors of inp by the functions/constructors of 
a; catamorphisms offer a canonical way of consuming a data structure. Similarly, 
mappings to terminal algebras can be expressed by anamorphisms, which pro- 
vide a canonical way of constructing data structures. It is clear that the identity 
is the unique morphism from the initial F-algebra to itself (respectively, to the 
terminal F-coalgebra from itself): 

(JmF])F = = id (Catald, Anald) 

Finally, a hylomorphism is essentially the composition of a catamorphism with 
an anamorphism. Formally, a hylomorphism |o:, o]f is defined as the least mor- 
phism h satisfying: 



h = ao F{h) o a (HyloDef) 

Hylomorphisms are related to cata- and anamorphisms in an obvious way: 

|a,a]F = ([a])Fo[a]F (HyloSplit) 

la,outp]p = ([a])F (HyloCata) 

|mF,a]F = [a]F (HyloAna) 

Hylomorphisms enjoy a number of useful laws for example, 

[aor],alp = \a^rjoa\G ^ r] : F ^ G (HyloShift) 

|a,a]F o 1/3, /31f = [q:,/3]f ^ ao/3 = id (HyloFusion) 

A hylomorphism |a,a]F defines a recursive function whose recursion follows 
that of the functor F. 

3 Abstract Data Types as Bialgebras 

The main hindrance for expressing certain catamorphisms on ADTs is that ho- 
momorphisms are not able to map to less constrained structures. 

One solution is to decouple the decomposition of ADT values from their con- 
struction to gain more flexibility. This can be achieved by modeling an ADT by a 
pair (a, a) where a is an F-algebra, a is a G-coalgebra, and U{a) = U(a). Such 
an algebra/coalgebra-pair with a common carrier is called an F, G-bialgehra 1 1 1 )j . 
An F,G-bialgebra homomorphism from {a, a) to (/3, /3) is a morphism satisfying 
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ho a = /So F{h) and G{h) oa = j3oh. The G-algebras and homomorphisms 
form a category BiAlg(T", G), which is built upon cQ In the sequel we use the 
terms “ADT” and “bialgebra” as synonyms. Given an ADT D = {a, a), we call 
a the constructor of D and a the destructor of D. 

Note that, in general, we have to provide the carrier of an ADT explicitly, 
since it is not determined by a universal property (like for initial algebras or 
terminal coalgebras). If not stated otherwise, we will always implicitly take the 
carrier of the initial algebra (or terminal coalgebra) whenever it is used as a con- 
structor (respectively, as a destructor). For example, the carrier of the bialgebras 
Nat, Range, and Prod is always U{inN), and the carrier of the bialgebras List, 
Queue, and Set is U{inLA)- 

Let us consider some examples. First of all, algebraic data types can be re- 
garded as ADTs by taking the initial algebra as constructor and its inverse as 
destructor. For example, ADT List = {iuLA, outi,^) is an L^, L^-bialgebra; List 
can also be used as a stack ADT. Similarly, we can define: Nat = {inpj, outf]). 
But we can define many more different ADTs for natural numbers. We can con- 
sider, for instance, binary destructors, that is, L[/(i„j^)-coalgebras. One example 
(that will be used later) is the ADT Range which decomposes a number by 
returning the number itself in addition to the predecessor: 

Range = {inN,[I,{succ,L)]o outj^) 

Note that using succ is indeed correct here, since outt] gives the predecessor 
(which is preserved by /) and succ re-builds the original number value. This also 
shows that the constructor and the destructor of an ADT need not have the 
same signature. Another example for this is the N-bialgebra Prod that 

constructs numbers by multiplication: 

Prod = ([1, *], owf/v) 

Our next example is an ADT for queues. The constructors of a queue are the 
same as for List. The destructor is also an Ly^-coalgebra, but it is different from 
outj^j^, since elements are taken from the end. There are different ways to define 
the queue destructor. First of all, we can give a recursive function definition 
(which is possible, since we are working in CPO). 

dequeue = u\ f = AZ.case I of 

mi ^( 1 , 0 ) 

I Cons{x, Nil) {2,{x, Nil)) 

I Cons\x, V) \l + I X {Cons o {x, I))) (/ I') ] 

(This definition could be written more conveniently if let-expressions were avail- 
able.) A more categorical style is to use only combinators and catamorphisms. 

^ An F, G-bialgebra is just a special case of an F, G-dialgebra, that is, BiAlg(F, G) = 
DiAlg([F,/],[/,G]) EIIEIEI. Working with bialgebras is sufficient for onr pnrposes 
and makes the separation of constructors and destructors more explicit. 
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With the aid of a function snoc for appending a single element at the end of a 
list and a function rev for reversing a list - both defined by L^i-catamorphisms0 

snoc{x,l) = (\^Cons{x, Nit), Cons])LA ^ 
rev = ([Nil, snoc]) La 

we can define the queue destructor as follows. 



dequeue = J + J x revo ouIla ° 

This means, a queue is represented by a list where elements are enqueued at the 
front and dequeued from the rear. In particular, dequeueing from a list I works 
as follows: reverse I, take first element x and tail V from rev I, and finally reverse 
V to get the standard queue representation. Now we can define: 



Queue = {in dequeue). 



As our final example we define a set ADT, again based on the “cons” -view given 
by La- This can be done in two principally different ways. One possibility that 
quickly comes to mind is to define equations E expressing idempotence and 
commutativity and work with the quotient algebra The problem 

with this approach is that homomorphisms are forced to stay within La/E- 
algebras, and it is not obvious how to define destructors into different algebras. 
Thus, it is not clear how to define a function for counting the elements of a set. 

To define sets as bialgebras, we can use a list carrier and normalize lists in 
constructors or destructors. The second option means to take as construc- 
tor. The destructor must then be defined so that a value is retrieved from a 
set at most once. This can be realized by splitting an arbitrary element off (for 
example, the one that was inserted last) and removing all occurrences of this 
element in the returned set. We need the following functions: 



append{l, I') 
flatten 
map f 
filter{p,l) 
remove{x, 1) 



([I', Cons[)LA I 
([Nil, append]) a 
([N il, Cons o / X /]) 

{flatten o map {Xy.iip{y) then Cons{y,Nit) else Nit)) I 
filter {{^ x),l) 



Now we can define the set destructor and the set ADT by: 

deset = I + (tti, remove) o out^^ 

Set = {inL AT deset) 

Note that the definition works only for types A on which equality is defined. 

^ For readability we omit the junc-brackets inside catamorphisms. 

® Equations can be expressed categorically by transformers cm, which are mappings 
between algebras. Examples can be found in cm El CHI- 
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We have actually given one concrete implementation of sets based on lists, 
and strictly we have still to prove that this implementation is correct. So the 
presented bialgebra approach to programming with ADTs is definitely not as 
high-level as equational specifications. However, we believe it is more flexible. In 
particular, the bialgebra approach encourages to combine different A-algebras 
and G-coalgebras, which makes it easy to adapt ADTs to changing requirements. 
For example, instead of splitting off single elements with deset we can also use 
a P-coalgebra split (where P = 1 + I x I) to partition a set into two equally 
sized sets. This can be useful, for example, for divide-and-conquer algorithms. 

4 Programming by Metamorphisms 

^From now on let D = (a, a) be an F, G-bialgebra, let D' = {(3, (3) be an H, J- 
bialgebra, and let G = {ip, 'ip) be a AT, M-bialgebra. 



Metamorphisms and Data Type Filters. If / : G A- H is a natural trans- 
formation, the f -metamorphism from D to D' is defined as the least solution of 
the equation 



h = (3 o f o G{h) o a (MetaDef) 

and is denoted by D-^D' (we write D-^D' if / = id). We call D/D' the 
source / target and / the map of the metamorphism. This definition says that 
a metamorphism from D to D' is essentially a hylomorphism: 

D-^D' = |/3o/,cJ]g (MetaHylo) 

As an important special case, metamorphisms from algebraic data types reduce 
to catamorphisms, that is, 

D~^D' = ([/3])g 4= D = {ino, outc) (MetaAlg) 

This can be seen as follows. First we know H = G, since / = id. Then 

D-^D' = 1/3, ow/gIg { MetaHylo } 

= Wg o loutcja { HyloSplit } 

= OTg o id { Anald } 

= OTg 



As an abbreviation for the composition of two metamorphisms we introduce the 
notion of an ADT-filter. The G-filter from D to D' is defined as: 

dS^C-S^D' = G'^D'odXg (FilterDef) 

Here D and D' are called the source and target of the filter, and G is called the 
filter data type. Again, we omit / and g if they are just identities. 
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A New Programming Style for ADTs. Let us now consider some metamor- 
phic programs. First of all, examples for algebraic data types translate directly 
from the corresponding catamorphisms. For instance, the length of a list can be 
computed by the metamorphism 

length = List Nat 

We can always save the metamorphism map, here / + 7T2, by selecting a target 
ADT whose constructor functor agrees with the functor of the source ADT 
destructor. We can actually calculate the desired ADT as follows. 

List Nat = |[.^ero, Succ] o (/ + 7T2), { MetaHylo } 

= {[Zero o I, Succ o tt2], out La] La { sum } 

Thus, we can define the La, A-bialgebra Count = {[Zero, Succo 712 ], outf]), and 
we obtain for length the modified form: 

length = List~^ Count 

In an actual programming environment there will be lots of different ADTs 
representing many algebra/coalgebra-combinations. We envision a system that 
supports the writing of metamorphisms by automatically offering sets of functor- 
matching target ADTs and/or sets of natural transformations that can be used 
as maps in metamorphisms. 

Now let us consider the more interesting case for non-algebraic ADTs. We 
are eventually able to count the number of elements in a set by: 

count = Set-^ Count 



Mapping a function / to all elements of a set can be expressed by: 

mapset = Set Set (= Set Set) 

And we must not forget the factorial function, which can be computed by: 



fac = Range-^Prod 

Filters are very handy in expressing certain algorithms, for example. 



List Set List 
List-^Set Nat 
List~^ Queue-^ List 
List‘d P Queue‘s List 



Remove duplicates 

Number of different list elements 

List reverse 

Heapsort 



We have not defined the ADT PQueue for priority queues yet. This can be done 
similar to Queue, except that the destructor selects the smallest instead of the 
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last list element. The reader might wonder whether Stack (= List) instead of 
Queue should be used in the list reverse example. Queue is indeed the proper fil- 
ter here, since metamorphisms proceed in a “bottom-up” manner (which means 
for La “right-to-left” ) , that is, the last element of the first list will be inserted 
first into the queue and will thus be consed last to the target list. One might 
also object that the given program for reverse is unacceptably inefficient be- 
cause during the decomposition phase each intermediate queue value is reversed 
twice thus resulting in a quadratic running time. We will address two ways for 
optimization in Sect. 

Until now we have only worked with types of linear functors. It is clear that 
all presented concepts also apply to, say, tree-like structures. For these the ADT 
approach gives a very nice view on divide-and-conquer algorithms. 

With a final example we give an impression of the power the metamorphic 
programming style can offer when the right abstractions are chosen. Suppose we 
have defined a representation for graphs (based on a suitable functor Gr) and a 
function roots for computing and removing the list of a graph’s roots@ We can 
then define an ADT RootGra^ = {incn roots), which can be used for realizing 
topological sorting as follows |j 

topsort = flatten o RootGraph-^ List 

5 Program Transformation 

One interesting property of ADTs is invertahility: 

D is invertible 4=^ a o a = id 

Invertible data types are important, since they can be fused away (see Theorem 
[D below) . In particular, all algebraic data types are invertible. It is clear that a 
data type can be invertible only if destructor and constructor have compatible 
signatures: 

Lemma 1. An F,G-algebra D can be invertible only if F = G. □ 

Next we consider how program transformation and optimization present them- 
selves in the framework of bialgebras and metamorphisms. First of all, we stress 
that we can use all of the existing results developed for algebraic data types: we 
show that fusion of algebraic data types is still possible, and we demonstrate the 
use of well-known laws in the optimization of metamorphic programs. In addi- 
tion, we show that the fixed recursion pattern enables specific optimizations for 
ADTs, and finally we show that the filter programming style offers optimization 
opportunities that go beyond fusion and even promise asymptotic speed-ups. 

We will show a simple relational representation for graphs in Sect.0 Based on that 
a function for computing roots is given by — o {dom, mg). 

® Note that this does not work with the representation of Sect. El since it is not possible 
to represent isolated nodes, which might occur during the graph decomposition. The 
extension is not difficult, but it is not needed here to understand the point. 
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A Fusion Law for ADTs. An important property of invertible data types is 
that they do not have an effect as filter data types, that is, they can be safely 
omitted from filters. 



Theorem 1 (Filter Fusion). C is invertible D~^C~^D' = D-^D' . 



Proof. D-^C-^D' = C-^D' o D-^C 

= 1 / 3 , o W,a\G 
= 

= IP Mg 
= D-^D' 



{ FilterDef } 

{ MetaHylo } 

{ Lemma m } 

{ Assumption, HyloFusion } 
{ MetaHylo } 



□ 



This is a reformulation of the well-known fusion law for algebraic data types. Its 
importance lies in the fact that the extension to ADTs and metamorphisms is 
conservative in the sense that the fusion optimization for algebraic data types is 
not affected and can still be applied in the extended framework. 



Applying Classical Transformations. Assume we represent a graph by a 
binary relation on integers. We can use the already defined ADT Set for this; 
we call it Rel here just for clarity. A simple method for computing the set of all 
nodes in a graph is then to take the union of the domain and the codomain of 
the relation, which are defined by two simple metamorphisms: 

dom = Rel Set 

rng = Rel Set 

nodes = U o [dom, rng) 

With this implementation the relation must be traversed twice, once for comput- 
ing the left components of all pairs and once for computing the right components. 
With the aid of the so-called banana-split law P| 

(([a])F,([/3DF) = ([(Q!oF(7ri),/3oF(7r2))])F 

we can obtain an improved version of nodes in which dom and rng are computed 
by a single scan over the relation. First, we expand dom and rng by (MetaHylo) 
and (HyloSplit) to: 



dom = ([in L a o I + x .1]) ° [deseij 
rng = ([mL^ o / -|- 7T2 x /]) o [deset] 

By factorizing the anamorphism from the split we get: 



nodes = U o (([mL^ ° F-|- tti x /]), ([mi,^ o / -|- 7T2 x /])) o [deset] 
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Now we can apply the banana-split law (with F = La) and obtain the following 
optimized version for nodes: 

nodes = U o (J((otl^ ° ^ + tti x /) o L^(7 Ti), 

{inLA o I + TT 2 X I) o La{tt 2 ))]) o [deset] 

This can be simplified by evaluating La and applying laws for product and sum 
yielding: 

nodes = U o ([(mL^ ° d -|- tti x tti, o J -|- 7T2 x 7T2)]) o [deset] 
which can be finally written as a metamorphism: 

j I I n ; (-f+TTiXu-iJ-l-ii-aXTra) , , 

nodes = U o fce( {Set x bet) 

Depending on the definition of the function U, we can possibly optimize further. 
For example, if U is itself defined by a catamorphism, we can fuse that definition 
with the metamorphism just obtained. We do not elaborate on this here, the 
goal of this part was just to show that optimizations and transformations can 
be well performed using already existing laws. 



Exploiting Fixed Recursion Scheme. We have already noted that the filter 
for implementing list reverse is unacceptably inefficient, since actually each tail 
of the list is reversed twice. This gives a quadratic running time, and, no doubt, 
a direct use of the function rev would be much better 0 But if we look at how the 
queue is used in a metamorphism, we observe that in each step one element is 
taken from the queue and the (intermediate) queue values themselves are never 
needed, except for decomposing/dequeueing. In order to exploit this knowledge 
we formulate equations for different versions of the queue {qt) and the dequeued 
elements ( xi ). We abbreviate tti o out^^ by hd and 7T2 o out^^ by tl. Recall the 
definition of dequeue = I + I x rev o out^^ o rev. Now given an (non-empty) 
intermediate queue qi-i, we have: 

qi = (rewo 7T2 o o rev) ( 7 i_i = {rev o tl o rev) qi-\ 

Xi = {tti o outLA ° xev) qi-i = {hdorev)qi-\ 

Since qi-\ = {revo tlo rev) qi -2 we have qi = {revo tlo revo revo tlo rev) qi -2 = 
{rev o tP o rev) qi- 2 - By induction it follows (given an initial queue qo) that 

qi = ( rev o tP o rev) qo 

® In general, however, we do not know about the implementation of an ADT, and thus 
we might not have access to a function like rev. 
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Now we observe that the last queue value is Nil and that all other queue values 
are only used for dequeueing. This means that we can work inside the decom- 
position with reversed queues, that is, using = rev qi we get: 

ri = rev qo 

Vi = rev {{rev o tl o rev) qi-i) = {tlorev)qi-\ = tlvi-i 

Xi = hd Vi-i 

This gives a much more efficient implementation for the Queue ADT. In partic- 
ular, the representing list has to be reversed only once. 

Single-Threaded Analysis for Free! Consider the filters List-^ Queue-^ List 
and List-^PQueue-^List. First, from the definition of filter it is clear that: (i) 
the filter ADTs Queue and PQueue are completely built up before they are 
decomposed. Second, from the definition of metamorphism it can be seen that 
(ii) an ADT is constructed from one generator (the source ADT) where only 
one version exists at any time, and (iii) an ADT is destructed just from one 
consumer (the target ADT) thus also maintaining only one version at any time. 

Hence at any time only one version of the filter ADT is referenced, and this 
means that the update operations to be performed on the filter can be safely 
implemented in an imperative way. This can increase the efficiency of programs 
much more than fusion is ever able to achieve. We are faced with a twisted 
situation here: it is not the elimination of data structures that improves the 
running time of programs, but rather the introduction of filter structures. 

The nice thing is that a compiler does not need a sophisticated analysis tech- 
nique to determine single-threadedness. Selecting update-in-place implementa- 
tions is particularly important for data types like arrays or graphs, since persis- 
tent (= functional) implementations for these can become quite complex |2IIlin). 
and as demonstrated in |Bj , predefined imperative implementations of fold oper- 
ations can speed up computations considerably. 

6 Related Work 

Much of the work concerning catamorphisms on algebraic data types has already 
been mentioned in the introduction. There is surprisingly little work addressing 
structured recursion on non-algebraic data types, that is, data types satisfying 
equational laws. In particular, most approaches deal with specific data types, 
and there is almost no general framework available that could be used for a 
large class of abstract data types. 

Chuang presents in p] essentially three different views of arrays and defines 
for each view corresponding fold operations. Gibbons H2| defines a data type for 
directed acyclic multi-graphs. With a careful choice of operations, which obey 
certain algebraic laws, the definition of graph catamorphisms becomes feasible, 
and some functions on graphs, such as reversing the edges of a graph (graph 
reversal) or determining shortest paths (measured in number of edges), can be 
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expressed as graph catamorphisms. However, the whole approach is very limited, 
since it applies only to acyclic graphs having no edge labels. 

We have presented a more general view of graphs in 0. In that paper an 
important aspect was the definition of a couple of fold operations that can be 
used to express operations, such as graph reversal, depth first search, evaluation 
of expression DAGs, or computing all simple paths in a graphs. Two theorems 
for program fusion were presented that allow the removal of intermediate search 
trees as well as intermediate graph structures. 

The only general approach for expressing catamorphisms over non-free data 
types we know of is the work of Fokkinga [I3E|. The idea is to represent terms 
by combinators called transformers and to represent an equation by a pair of 
transformers. Several properties of transformers are investigated, and it is shown 
how transformers can be combined to yield new transformers thus resulting in 
a variable- free language for expressing equations. The use of transformers is 
demonstrated in showing the equivalence of two different stack implementations. 
However, the whole approach suffers from the already mentioned restrictions 
caused by the constraints that homomorphisms must map to quotients. 

7 Conclusions 

We have demonstrated how the structured recursion programming discipline 
can be applied to abstract data types. The main idea was to represent ADTs by 
bialgebras and to express mappings between ADTs by metamorphisms. 

Our approach demands the explicit definition of destructors. However, this 
additional effort pays off, since it offers much freedom in the design of ADTs, in 
particular, the separation into algebra and coalgebra provides a high degree of 
modularity. Moreover, it also provides with metamorphisms a much more general 
computing device than homomorphisms, since we can map into types with less 
structure. 

Nevertheless, metamorphisms on bialgebras are a conservative extension of 
homomorphisms: the fusion law for algebraic data types is still valid and can 
be applied for invertible ADTs. Moreover, a very promising property of filter 
ADTs is that they can be safely implemented in a destructive way without 
loosing referential transparency, since metamorphisms (and filters) use them in 
a single-threaded way. 
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Abstract. Pure Type Systems with universes {-yPTS) provide a right 
frame to model programming languages features and are the core of 
Logical Frameworks, widely used in theorem proof systems. For these 
systems some authors propose a single rule, which includes both typing 
under /3-conversion and the relation between universes. Our proposal 
adds an independent rule parameterized over a relation 7 between sorts. 
Non trivial properties of the PTS like the weak strengthening lemma can 
be obtained in "fPT S by extending a method proposed by van Benthem 
Jutting and using weak-closure for 7-reduction. This lemma is important 
due to two main reasons: (1) it provides a condensing lemma that deter- 
mines in the underlying logic system a cut rule that simplifies the task in 
proof assistant systems; (2) the proof of type checking decidability can 
be eased in some normalizing systems. 



1 Introduction 

As the literature reflects, the Pure Type Systems {PTS) |21 introduced by Ter- 
louw and Berardi are a right frame to model programming languages features 
and logic systems using Howard-Curry isomorphism (propositions-as-types). 

The inclusion of an explicit hierarchy between universes without needing a 
type for every type can be used to work in a similar way without sacrificing the 
consistency. For these systems, some authors PTTT| propose a single rule (the 
abstract reduction rule), which includes both typing under /3-conversion and the 
relation between generalized universes (dependent products) . Our proposal cap- 
tures the typing under universes with an independent additional rule. This rule 
is parameterized over a relation 7 between sorts (basic universes) that deter- 
mines another hierarchical level (apart from the hierarchy determined by the 
usual axioms and rules in PTS) and allows the definition of a relation be- 
tween generalized universes. These systems, named jPTS in [El, are a natural 
generalization of PTS and other theories (as CC“ PE!) and are a special case of 
'yPTS for a proper initial relation 7 . 

Elementary properties of the PTS (subject /3-reduction, substitution lemma, 
etc.) can be expressed in 'yPTS without imposing restrictions neither to 7 or 
to the axioms and rules. Other properties, as type checking decidability or the 
strengthening and condensing properties, need the addition of restrictions to 
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the system. These restrictions have been captured in an uniform way using the 
concept of weak-closure for 7 -reduction: 

T h c : □ c c! T h c' : [‘5^7] 

The technique shown in this paper is an extension to the method proposed 
by L. van Benthem Jutting in 0. Thus, the set A of terms will be divided into 
two disjoint classes: /I = U Tg. In class Ty we have uniqueness of types for a 
relation ~ (defined in terms of relations and -^ 0 ), and we also get another 
interesting property, the strengthening lemma: 

Pi h a : _ T 2 a : A Pi C P 2 Pi h a : A' A 
Class Ts verifies another essential property, the weak strengthening lemma: 

Ti h a : _ Pi P P 2 ^ P2da C Pida 
where d and d denote the operators 

Pda = { s I 3d, A[a XA.d A T, Z\ h d : s]} 

Pda={s \ 3Z\[rh a : HA.s]} 

which allow us to generalize some results already obtained in 0. This property 
directly provides the standard condensation lemma, i.e. 

Pi,y : D,P 2 ^ a: A y ^FY{P 2 )UFY{a : A) ^ Pi,P 2 Fa:A 
The remainder of the paper is organized as follows. In section 2 we formalize 
the 'yPTS, state the elementary properties and characterize the possible types. 
Section 3 studies the concept of weak-closure for 7 -reduction and some of its 
consequences, like the Church-Rosser property for class T„. Section 4 is devoted to 
the strengthening lemmas and to one of its corollaries: the standard condensation 
lemma. The essential properties of d and d operators are stated, and will be used 
in the following section when proving the type checking decidability for a class 
of normalizing systems. 

We have also included in this paper some relevant examples to show that 
some of the conditions in the results cannot be eliminated or even relaxed. On 
the other hand, most of the proofs have been omitted due to the lack of space. A 
final appendix summarizes the notation used throughout the paper to improve 
its readability. 

2 Pure Type Systems with Universes (yPTS) 

Considering a set of variables V {x,y, . . . G V) and a set of constants or sorts S 
{p, s, □, A, . . . e S), the set A of terms for a "fPTS is inductively defined as: 
n G V U (S a G A 

A,B,a,b G A => a b, Xx : A.b, PIx : A.B G A 
We will denote by a one step /3-reduction, its reflexive and transitive 
closure, and by =^3 the equality generated by 0 . The set of /3-normal 
forms will be denoted by /3„, FV(a) the set of free variables and FV(a : A) = 
FV (a) U FV (A) . A context P is a sorted sequence with the following form xi : 
Ai,. . ,,Xn '■ An- We will denote x : A G P iA 3i[x = Xi f\ A = Ai] , P C P' 
iff Va:[a; : A G P ^ x : A G P'], Var(F) = {xi, . . . ,Xn} \ x G P means 

X G Var(T); FV(T) '^= Ui<j<nFV(A*) , {P\,x : A, U) U= Pi- For the context 
A = X : A,y : B, z : C we denote by IPA.P the term PIx : A. By : B.IIz : C.P. 
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This notation will also be used for XA.b. For a relation — from terms, we extend 
the concept of reduction context T as usual. 

A ^PTS is defined by a tuple AS = {S,^,A,TZ), where 7 is a relation over 
S (its objects are called classes or basic universes), A{ C S x S) is the set of 
axioms and TZ{ C S x S x S) is the set of rules. We will abbreviate □ : A S 
A, Si : S2 : S3 € TZ. (s, s') G 7 means that s is a subclass or subuniverse of s'; 
denotes right 77-compatible closure: 

{Q,R)Gj 

Q^jR nx:M.Q^jIIx:M.R 

We will denote by the reflexive and transitive closure of — >.y and by the 
equivalence (not necessarily compatible) generated by we will make similar 
assumptions over the 7/? relation ( U ^/j). The symbol • denotes the 

composition of two relations: x R ■ R' y 4=^ 3z[xRz A zR'y]. We will omit the 
symbol • if there is not possible confusion: 13 We will write 

^.y|= O as 7 1= O, /7 O 7 for the commutativity of f) and 7 relations, and CR 
for the Church-Rosser’s property: 

j3 G CR = A — P ^ ^ — ^7 — ~^7 

The notion of derivation F Fas a ■ A, that we will also write as 7^ h a : A, is 
defined by the inductive system in the attached figure. The first seven rules are 
the usual ones in the PTS. The last one captures typing under the presence of 
classes or universes. When 7 is empty the system is an standard PTS. In the 



jPTS 



(ax) 


\-p:s 


p : s G A 


(var) 


PGA-.s 

P,x:AGx:A 


x^r 


(weak) 


PGb:B PGA-.s 

P,x:AGb:B 


x^r 


(apl) 


rGf:(nx:A.F) PGa:A 

r\-fa:F[x:=a] 




(77) 


7^I-A:si F,x:AGB:s2 

FGBx'.A.B : S 3 


s = Si : S2 : S3 G TZ 


(A) 


7^hA:si F^x'.ArB\S 2 F^x:Arb'.B 


s GTZ 


FGXx'.A.b : IIx:A.B 


(/3) 


FGa-.A FGA'-.s 

FGa:A' 


1 ! 


(7) 


FGa:A FGA'-.s 

FGa-.A' 


A — A 
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derivation F a \ A, term a is the subject and A the predicate. A context F is legal 
(we will use F h) when there are terms a and A such that F h a : A. We will write 
F \~ a : A ■. s for the pair of derivations F \- a : A A F \- A : s, and F \- a : A, A' 
for F \~ a : A A F \- a : A\ A free variable to the right of an implication 
is implicitly quantified in the correct way. For example, the consequent of the 
implication rhD:i? => DiscAis read as 3 s G □ : s € A ], and will also 
be written as □ : _ G A. 

The hu, system obtained when substituting the constraint in the {weak) rule 
for 6 G 5 U V, a; ^ F is equivalent to the former: F A b : B 4 =^ F Ayj h \ B. 
This rule is the one exposed in ^ and it is interesting on it own because the 
generation lemma does not depend on the {weak) rule. 

Lemma 1 . 

(z) /? O 7 

{i') A B G (3n A G Pn 
{ii) “^7 * F f3 ' “^7 

and for terms following the pattern FIA.s : ■ -».y C -».y ■ 

{Hi) A -^j/3 B A[x := TV] ^7/3 B[x := fV] 

{iv) A^^ B ^ FV(A) = FV(F) 

(u) 7 1 = O 7/3 G CR 

The next lemma resumes the basic properties of the relation that will appear 
in the generation lemma. 

Lemma 2 (Order generated by 7). (a) Let be three reflexive and 

transitive relations in A verifying Vz, • t>j C t>j ■ t>j] . Then 

(>i U [>2 U >3)* = >1 • [>2 ■ 1>3 
In particular, when ~> = 

( 5 ) ~> = U U / 3 «-)* = (=/3 U ^7)* = (=/3 • ^7 • =/?) 

(c) The ~> relation is the least reflexive, transitive and right II -compatible 
relation that includes the relation {=p U ^7) 

{d) If is an (partial) order relation in S xS, then ~> is an order relation 
with respect to =jj; i.e.: A ~> A! ~> A ^ A A! 

Proof, (o) is trivial; (6) follows from (a) taking >1 =^^,[>2 =^7, [>3 = /3«-; 
by /? O 7, [>3 • [>2 C [>2 • >3. By /3 G CR, >3 • >1 C >1 • >3, and by Lemma 
[D(zz), >2 • >1 C [>i • >2- Similarly, by /3 G CR,(3 <> 7 and by Lemma [D(zz): 
=13 ■ ■ =13 F , and the reciprocal inclusion A is trivial. The 

rest of the equalities follow from (=^ U ^7)* = U ^7 U /3«-)* that is 
obvious because of /? G CR. In order to prove {d) it is enough to show that 

B* ^7 Q* 13^ A' A A' ^f3 Z ^7 B* ^ B* =p A' ( 1 ) 
and observe the next diagram on the left (the non annotated arrows correspond 
to the ~^/3 relation). The part of the diagram is due to /3 G CR, and the part 
to /? O 7. 
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B — Xh. Q Q* 





In order to prove (1), using Lemma iz), it is enough to prove 

B* Q* ~^f3 M Z B* => B* =0 Z (2) 

and look at the former diagram on the right (the part of the diagram follow 
from P G CR); (2) is proved by induction on the derivation of Z ->^y B*. □ 



If we include U-types, these results also hold, and when the relation is an 
order in 5 x 5 the ~> relation is the ^ relation of 0. 

Example 3 (The Generalized Calculus of Constructions as ajPTS). Let us con- 
sider the numerable set of constants S = {*, Dq, • ■ • , ■ ■ - jiGoj, OLnd the initial 

relation over constants 7 = {* — Dg, Dj . Then, is an order 

relation and, by Lemma\^ ~> is an order with respect to =p. Let be the 

'yPTS generated by {S,j, A,TZ) , 7 the former relation and let A and TZ be the 
following set of axioms and rules 

= {* : Do, Di : ni+iligu; 

7^ ={*:*: *, Dj : * : Dj : * : Dj : 

Then, this system is equivalent to Thierry Coquand’s CC“ system 



Lemma 4. Let P = X\ : At, . . . ,Xn : A„ h c : C. Then 
(z) FV(c : C) C Var(r) 

(zz) Vz, j[l <i,j < n][x^ = Xj^i= j] 

(Hi) p:qGA^P\-p:q 
(iv) y : D G P P \- y : D 

(а) Substitution lemma: Lf Pi L d : D, then 

Pi,y : D,P 2 \- c:C ^ Pi, P 2 [y ■■= d] \~ c[y := d] : C[y ■.= d] 

(б) Thinning lemma: 

T2 h A h 6 : B Pi (Z P2 ^ P2^b-. B 
(c) Z\ h Aa; : A.b ■. R \J A\- x \ R \J A\- ab ■. R A\- R \ n 



Lemma 5 (Generation lemma). 

(i) P \- p : R ^ p : q G A A q ~> R 

(zz) ^ x \ R' G P A P Ah R' \ s' A R' ~> R 

(Hi) P h LIx : A.B : R => P, x : A\- B : S 2 A P \- A : si A S 3 ~> R 

(iv) P \- Xx : A.b : R => P \- A : si A P, x : A \- b : B : S 2 A 

Tlx : A.B ~> R 

=> r h 5 : LIx : C.F, c : C, F[x := c] : s A 
F[x := c] ~> R 



(v) P\-bc:R 
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Corollary 6. 

(a) _TI“s:nAZ\h=J> Z\hs:D 

(b) Correctness of types: F \~ c : C ^ s = C V rhC:s 

(c) If r \- Xx : A.b : R, there is a sequence of terms verifying 

Xq = Fix : A.B Xn = R F \- A : si F, x : A \- b : B : S2 

0 <f<n][TI-Aa;: A.b : Xi A {Xi =p Xi+i V Xi Xi+i) ] 

(d) If F \- Fix : A.B : Q, for a certain s rule 

F \- A: Si F,x : A\- B : S2 (53 = Q V T h Q : s, S3 ~> Q) 

The reciprocal to (6) does not hold: h C : □ could hold, but Vc[l/ c : C]; i.e., 
there are correct types without inhabitants ('Corollary 1 1 till . In and in other 

systems a stronger result can be obtained 

Thc:C ^ FhC :s [SCT] 

and that property eliminates many technical problems. This result does not hold 
for every PTS, and hence, for every 'yPTS. However, this property can be ob- 
tained by adding some additional properties to 7 (some cumulative properties) . 

Corollary 7 . (a) If P legal, then □ : = {s|ThD:s} 

(6) If F \- Fix : A.B : then 

{F 'r A) ■. {F,x : A'r B) -.n.y = { s \ F 'r Bx : A.B ■. s } 

where F \- A denotes the set of F -types of A, and 

a :Aj = { A \ a : A' G A, A' = A V A' ^.y A: A} 

Xi : Af : Ry = | □ | s C R, Si G Xi, S2 G X , S3 = n V S3 ~^y C : - C Al } 

In order to achieve a decidable type checking the sets □ : Ay and M : X : Ry 
must be (effectively) decidable if XI and X sets are decidable. 

In functional PTS 0 the uniqueness of types is obtained for the =p equality. 
Because of the (7) rule, the corresponding result is weaker in 'yPTS. We now 
introduce a natural generalization of functional PT S. So, a jPT S is 'y -functional 
when: 

p : q, p' : q' G A A p =y p' ^ q=y q' 

Si : S2 : s, s'l -. s'2 : s' GR A Si =y s'l A S2 =y S2 s =y s' 

Lemma 8 (Uniqueness of types for 7 functional and confluent sys- 
tems). If AS is j -functional and 7^0, then F \- c : C,C ^ C =yp C 

This lemma can be used to prove the condensation lemma for 7-functional 
systems. If the system is not 7-functional the uniqueness of types is not assured, 
not even for the ordinary PTS. For PTS, van Benthem Jutting | 3 ] introduces a 
class of terms (T„) where the uniqueness of types under =p is assured. Also, if 
7^0, the following lemma may be used to study the least class of terms with 
uniqueness of types for the following relation: 

H ~ A' 3 A, Z, Z'[A Z y^X ^y Z' A'] 

We want to assure that when T h a : A, A', the types A and A' must be connected 
through the relations y -f>y. 
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Lemma 9 (Properties for the ~ relation). 

(i) ~ is substitutive, reflexive and simetric 
ii') /f 7 “^ H o, then ~ is an equivalence 
{ii) B~B'~>A' ^ B ~ A' 

{a') A <~ Z ~> A' ^ A ~ A' 

{Hi) nx : C.F ~ nx : C .F' ^ C =p C A F F' 

{iv) Let U = { a \ VL, A, A'[ P h a : A, A' ^ A ~ A']}, then 
{a)V C U 

{b)bGU be, Xx'.A.bGU 



Definition 10. Let Ty be the least class of terms verifying the properties (a) and 
{b) in the last lemma, and Tg the complementary class (A — Ty). Using Lemma 
0 Ty and Ts are the inductively defined classes by the axioms 

(i) V U Ty {ii) b £ Ty => be, \x : A.b £ Ty 

{i') □, LIx : A.B £ Tg {ii ) b £ Tg be, Xx : A.b £ Tg 

The Tg class is closed under /3-reduction, while Ty verifies the dual property: 
a — ^ a^ £ Ty a £ Ty 

Lemma 11 (Uniqueness of types in Ty class). Lf a £ Ty, 

{a) FL a: A, A' T h A : □ A ~ A' 

{b) Ln any PTS, F \- a \ A, A' A =p A' 

Proof, {a) follows from Lemma 0 and Lemma |3 for (6) we take 7 = 0. □ 

The idea of dividing the set of terms into two classes (A = U Ty) is due 
to L.S. van Benthem Jutting, and that partition is used to prove two important 
results: the condensation lemma and the decidability of type checking. We will 
also use that division for the same purpose. The result (6) above is the one 
obtained in |B|(page 33). There is a better result that generalizes the Lemma 4.4 
in 0(page 34): 

Lemma 12 (Characterization of types in Tg class). The relation 
B ~B' 4=^ 3Z\, □, U'[B =0 BA.U A B' =p PA.W] 
verifies the following properties 

{i) is a substitutive equivalence 
{ii) B~B' A B' c£>C ^ B^C 
{Hi) B~B' 4=^ nx : A.B ~ Ux : A.B' 

{iv) c£Tg A FAc:C,C' =A C ~ C" 

{v) Uniqueness of domains: 

F \~ a : nx : Ai.Bi, nx : A 2 .B 2 Ai =0 A 2 

We see that /3-normal types in a term a £ Tg follow the pattern nA.s. If 
F \- a : n A.s,n A.s' the constants s and s' will not always be related. This 
result also happens in PTS. 
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3 Contexts Reductions, Subjects, and Predicates 

Definition 13. A relation t> on A verifies the following properties when 



subject reduction: 


Fhc:CAc > c' 




F h c' : C 


[5>] 


context reduction: 


Fhc:CAF 0 F' 




F' h c : C 


[C>] 


predicate reduction: 


FA c:C AC > C' 




F h c : C' 


[F>] 



We will simplify the notation by writing SP instead of S and similarly for 
P"f. It may be interesting the not conservation of the type when the subject 
is reduced in 7 . For this purpose, we introduce the concept of weak subject 7 - 



reduction 

F h c : □ c^^c' ^ F h c' : [Sf-f] 

Lemma 14. If F \- c : C, then 

[i) c^0c' ^ F h c' : C [Sp] 

(ii) r^pF' ^ F' h c : C [Cp] 

{Hi) C ^ F^c-.C [Fp] 



Froof. {i) and {ii) can be proved simultaneously by induction on the derivation 
tj} = F \- c : C and for a single step of reduction (c c' and F F'). The 
proof is identical to the one exposed in 120 , except when p is inferred from the 
(opZ)-rule. For this case, the Corollary 0 can be applied; {Hi) follows from the 
correctness of types, SP and from the (/3)-rule. □ 



Corollary 15. Let \~c be the system obtained by replacing the (P) and (j) rules 

withU 



iPl) 



Fhc a:A F\-c A'-.s 
Fhc a:A' 






Then, the h and \~c systems are equivalent: F \~c c : C 4=^ F h c : C 

Froof. {<=)'■ by induction on F h c : C using i.h. and {=p U C~>. (=>): by 
induction on F l-£ c : C using i.h. and SFp. □ 



Corollary 16. 

(а) Context substitution: If F \- Yq : sq, then 

F,y.Y,F'hc:C Yo -> Y => F, y : Fq, C h c : C 

(б) Z\h Fhs:F=> s R' p^ R 

(c) If S'f 7 V F 7 , then F L y : R ^ F lyh R' : s A R' p<^ R 
{d) F \- Xx : A.b : R ^ F h F : S3, Q : s', IIx : A.B : S3 F,x \ A\- b \ B 
and Fix : A.B -»p P ->*.y Q R 
(e) F A Xx : A.b : Bx : A'.B' => F,x:AAb:B' 

If) AS 1= TV => ,3a, s[h a : IIx : s.a;] 



^ the {Py) rule is named elsewhere as the abstract reduction rule 
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If we consider Yq -^■y/3 Y, the property in the last corollary is a property of 
( 3 ^-weak context expansion in the sense that -T h Ig ^ s is necessary. The proof 
for (/) is similar to the one presented by j2j (5.2.31) for PTS. If □ : A G ^ and 
A : □ : □ G 7?., then h (Ux : D.a;) : □, so, if the system is normalizing, there are 
correct types without inhabitants. If h a : Ux : s.x hold, the system would not 
be normalizing. 

Lemma 17 (Predicate 7— reduction in strong cumulative systems). If 

AS ^ [AC] and [RC], then AS \= P7, where [AC] and [RC] are the follow- 
ing strong cumulative conditions: 

_ : g G Al A g q' ^ g' : _ G Al [AC] 

_:_:nGPAD^T,n' ^ dA.gaI [RC] 

In 7CC“ the strong correctness of types [SCT] holds, hence P7 also holds. 
Let us study the property in . This property holds for constants, 

P h sA □ A s s' => P h s : □ 

It is enough prove it for a single reduction step. So, if * Dg and P h Dg : p, 
because of generation lemma Di ^y p, hence P h * : Dg and we can use P7. The 
other case is treated in a similar way. Now, we can apply the following result: 

Lemma 18. In order to verify Ssj~^ it is enough, for every constants, to prove: 
P h : □ s s' P h s : □ 

This result does not hold if we replace by i.e, may hold for 

constants but not for every term (see Example EH . 

We saw that, if P h a : A, A' , then: 

a G Ty =7 A ^y H A 

but r h a : X does not always holds. Let us study now these two problems 
Fha: A,A' ^ P h a : X X X ~> yl' 

Pha:^ ^ r ha: A* yA'[R h a : A' ^ A* :^> A' ] 

Such A*, if it exists, is named a principal type (PT) for a. The first property is 
named CR property by |S|. We obtain a better result with the following 

Lemma 19 {CR property for the class). Let us consider a 'yPTS where 
the property holds over the terms in the class II; then, for each a G P„, 

P h a : A, A! =7 P h a : X A — — »y X — JY 

The condition 5^7“^ can not be eliminated as the next example shows 

Example 20 . Let us consider the set of axioms, rules and relations 7 
AI = {A:D, Ai:Di, A2 : 02} 

P= 0:02: 02} 

7 = {A ^y Al, A ^y A2} 

Then, h LIx : A.Ai : Di and h IIX.A.A2 : O2, so h Aa; : A.x : IIx : A.Ai and 
h Xx : A.x : IIX.A.A2. But, \f Xx : A.x : IIx : A. A (if h IIx : A. A : s, by 
generation □ : □ : _ G P - absurd). Let us note that AS ^ A S's7“^, but 

AS ^ S'f7, because it holds for the constants, and it is a trivial task to prove 

that 
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r h Ux : A.B : s A B B' B = B' 

So, Xx : A.x does not have a principal type. If we now consider 

^={A:D, Ai : Di, Aa : ^ 2 , A : Di, A : Da} 

will hold over but will not over Tg. In fact: h TTa; : A.A : Di and 
h TTa; : A.A : Da but Di 9 ^ Da, so there are terms in class II without PT. The 
same may happen for class X: 

h Xy : A. (77a; : A. A) : By : A.Di 

h Xy : A. (77a; : A. A) : 77y : A. Da By : A.Di 9 ^ By : A. Da 



4 Strengthening and Condensing Lemmas 



Theorem 21 (Strengthening lemma for T„ class). Let us consider a jPTS 
with T.„Pl and Ssj~^ (or then for each a S Ty, 

Pi a - 7^2 a A Pi C T^a 7^i h a : A! A 

Proof, induction on a, using Lemma El and Lemma rrai □ 



Let us note that A could contain free variables appearing in 7a but not in T^i, 
so 7^1 h a : 4 would not hold. The corollary above is trivial if /3-uniqueness of 
types holds in T„. 

/,From the substitution lemma, if 7^i h c7 : 77, then: 

Pi,y : D,P2\- a : A =7 Pi, P2[y := d] h a[y := d\ : A[y := d\ 
hence, if y ^ FV(7^a) U FV(a : A), then 

Pi,y : D, P2 \- a : A ^ A, La \- a : A 

Under certain conditions, the condition Pi \- d : D may be eliminated. Even 
more, it may happen that /Bd[Pi h d : 77] (Lemma El- This property will be 
named the condensation property as in |2j (we will use strengthening to denote the 
property of Theorem 12 1 II . We will prove the condensation lemma using special 
techniques that we analyze in the next subsections. 

We know (Lemma rT2|l that types for terms in class Tg are /3-reducible to 
terms in the form BA.s. It is natural thinking that a term of the form BA.s 
is /3-equivalent to an abstraction such as XA.d. This property is related to the 
strengthening property. Extending the property of Theorem to class Tg is 
difficult. We will obtain for the Tg class a weaker property that we will name 
weak strengthening 

A h a : _ Aba: BA.s A U A 



[ST^] 



A, A' \- d \ s A a XA' .d 

Besides, Theorem ES shows that this property also holds for class A if we add 
an additional condition (A b a : si). This property was observed by E) and 
its proof is based in the use of a computable operator that we will study later 
on. Now, let us study two operators that capture the final constants that may 
appear in the [5'T^j property. 



T„Pj denotes P 7 over the T„ class, and S^'y'y ^ means S'fy A S'fy ^ 



2 
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Definition 22. Let d and d be the following operators 

rda = { s I 3d, A[a XA.d A Z\ h d : s]} 

rda = {s \ 3A[r h a : HA.s]} 

From this operators we can express the [5'T^] property as 

Aha:. A C A ^ A9a C Fida _ [ST^] 

In order to study this property, we will show the operators d and d have similar 
properties and some dual ones. 



Lemma 23 (Properties for the d operator). 



(ii) r \- a : Si 
(Hi) r legal 
{iv) r h IIx : A.B : _ 
(u) 

{vt) b&Ts, (Sfj V Pj) 



{s|F h a : s} 
FdO 

rdfnx : A.B) 
rd{Xx : A.b) 
rdibc) 



= rda 
= u ■. 

= rdA :{r,x: A)dB : Tl.y 
C {r,x : A)db 
C rdb 



The condition 6 G Tg in the property (vi) is essential; by example, if we consider 
a PTS where h IIx : A.x : □ and h □ : A, then, taking P = y : IIx : A.x, and 
using (ap/)-rule and Lemma EHT mI: □ S Pd(y □) but Pdy = 0 (if P h y : IIW.s, 
then, by uniqueness of types in A, IIx : A.x ~ III'.s, and this is impossible 
because x ^ s). 



Example 24- Neither the condition Pj nor Sfj can be eliminated for the prop- 
erty (vi). For example, let us consider AS as 

A = {A:a, □ : A, □ : A', A' : V} 

A ={□:□: □} 

7 = {^^7 



then, 

for b= Xx : A.x(G A) : 
for b' = Xx ■. A.D(g a) : 

AS ^ A''7A-e.: 

AS ^ Py; i.e. : 



A' e d(b □) A' ^ d(b) 

A' e d(b' □) A' ^ d(b') 
IBx-.A.A-.U [/ Bx : A.A' : _ 
Ib-.nx:A.A [/ b ■. Bx : A.A' 



Lemma 25 (Properties for the d operator). 

{i)a^pa' Pda' = Pda 

(ii) P \- a : Si ^ Pda = {s|P h a' : s, a ^^3 a'} 

(Hi) P legal ^ PdO = □ : A-f 

(iv) N't Bx-. A.B : _ ^ Pd(Bx : A.B) = PdA : (P,x : A)dB : Tl-, 

(v) (r,x:A)'db C P^Xx-.A.b) 

(vi) P\-bc:- rdb C Pd(bc) 

The condition “6 c is P-typable” in (vi) is essential. For the system in Example 
1^ i9((Aa; : A.x)y) = 0 and d(Xx : A.x) yf 0. The reciprocal inclusion in (vi) 
does not hold: Pd(x □) 0 and Pdx = 0 

Let us observe that a -»f 3 a' Pda C Pda' C Pda' = Pda: “with the 
/3-reduction d increases but its bound depends on o”, but not on any redex a'. 
We conjecture that for /3-normal forms Pda = Pda. 
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Theorem 26 (Weak strengthening property). Let Fi C T2 be two con- 
texts in a jPTS verifying U (or 5 f 77 “^J. Then, for every term a 

Ti -typable 

a G A I2 h a : Si V a S Tg T2da C Tida [S'T®] 

Proof. Induction on a using Lemmas EOEI] Theorem EH and Corollary El C 

Example 2,1. In [ST®] the inclusion C can be proper. Take (7 = 0 ^ 

^ = {A:D, n:A, DiV} 

7 ^ ={□:□:□ } 

Then, if a= {Xx : A.x) □, we will have that h a : □ and \/ a : V, so 
da = {A,V} Veda V ^ da 

h a : A a □ h □ : V 1/ a : V 
This example also shows that subject expansion property does not hold. 

Corollary 28. If XS |= Sg"f~^Pj V Sf77“^, then 

Cl h a : A T2 h a : n Ti C T2 Pi h a — a' : Q 

Proof. Follows from thinning, Lemmas HX-fHHiiA and Theorem EEl □ 

Theorem 29. If XS ^ Ssj~^P"f V Sfyy”^, 

(а) Weak condensation lemma: 

Pi,y.D,P2^a-.A y ^ FV(T2) U FV(a) ^ Pi,P2^ a ■. A' A 

( б ) Condensation lemma: 

Pi,y : D,P2^ a: A y (f FY {P2) U FY {a : A) ^ A.TzhaiA 

Proof. We denote Py = Pi,y : D, P2 and P = Pi, P2. (b): follows from (a), type 
correctness and the (/ 3 )-rule. (a): by induction on the derivation fj = Py F a : A. 
Let us proof some cases: 

f) : —( 7 ) with Py F a : Ai,A : s Ai A] then, by i.h., P F a \ A'l A\, 
and by /3 O 7 , for a A' , we have that A ^p A' and A( A'. 

- If A'l e S, then ^' = □ G S, so, by S/3 we obtain h □ : s, because it is 
F-legal, and by Lemma B F h □ : s, and we can use the (yj-rule to obtain 
r h a : 

- If A[ ^ S, by type correctness, P F A'^ : s, and by Sfy, we will have P F A' : s', 



and using (yj-rule again. 

- If P 7 the last two steps are direct. 

Ip : —(A), a = Xx : C.b, with 

Fj, h C : Si (0) 

Py,x:CFB:s 2 ( 1 ) 

Py,x:CFb:B (2) 

We can apply i.h. to (0) and (2) to obtain 

F h C : Si P,x : C F b ■. B' p^ B (4) 

and besides (1) and S(3, we will have 

Py,x:CFB':s 2 (5) 



® is an simplification of S'sy ^ A F 7 
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But, because y G FV{B) is possible, we can not apply i.h. to (1). This is the real 
problem, because if we had 

r,x : C F B' : S2 (6) 

we could apply the (A) rule, in addition to (4) to obtain 
T h (Ax : C.b) : Bx : C.B' Hx : C.B 
In order to obtain something similar to (6) we reason as follows: by the type 
correctness property applied to (4), we can distinguish two cases: 

- If = □ G 5, then, by (5) and Lemma|5| r,x:CFD:s 2 - 

- If r,x : C F B' : s' 2 , then we apply Corollary I5HI to this derivation, and (5) to 
obtain B,x : C F B” : S 2 , where B” B' B, then apply Pf3 to (4), and 
finally apply the (A)-rule to obtain 

r F Xx : C.b : Bx : C.B" Bx : C.B □ 

The first formulation of the condensation lemma is due to van Daalen (for 
AUTOMAT); proves an analogous result for the system ECC but he obtains 
A' ~> A instead of A' A. But, because in ECC we have Vi, j, \i < j]\F 
□i : Dj ], then the conditions of the weak condensation theorem hold. Thus, 
our result is stronger. |3j proves the same lemma for PTS, but it is a particular 
instance of our lemma when 7 = 0. 

5 Decidability 

If we substitute in Lemma Elu , vi) the symbol C by an equality, a new operator 
d is obtained, and we can extend it to any term: 

Definition 30. Let d be the followinq operator 

Pda = n-.A.y 

Pd{Bx : A.B) = Pd A : {P,x : A)dB : 

IfbGTy, Pdb = {s\P F b : s} 

IfbGT,, Pd{Xx:A.b) = {P,x:A)db 
Pd{bc) = Pdb 

It is easy to realize that d extends in a natural way the E(P,a) operator from 
P]. In addition, we will admit the following conditions hold in our system (they 
are trivial when S is finite) 

□ : is decidable [A — dec] 

M , Af decidable =7 M : Af : TZ^ decidable [TZ — dec] 

Then, d is computable if it is computable for the terms in Ty. So, the com- 
putability of the set {s|T h a : s} is assured if we prove that 

{s\P h a : s} C Pda C Pda C Pda C {s\P h a : s} 

The following results generalize the results 5.3 — 5.4 in |2|(page 34). 

Lemma 31. (a) If a is P-typable, Pda C Pda 
(b) //ASh^f7VP7, 

a G Ty A P F a : Si V a G Ts => Pda C Pda 
a G dn X P F a : Si Pda = {s|T h a : s} 

Proof. Induction on a using Lemma ESI and Lemma E3 C 
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Lemma 32 (Generation lemma for /3— normal types). //AS |= P 7 V S'fy, 
the <P operator, F<l>a = {A\A G /3„ A F \- a : A}, verifies the following properties: 

(i) FF{nx : A.B) = F^A ■.{F,x: A)<FB : 

(ii) F<P{Xx : A.b) = Bx : Afj.{ B g {f,x: A)<Pb \ FFA : {F,x : A)FB : 7^ 0} 

{Hi) F<P{bc) = {A'\F[x : C.A G F<l>b,C G FFc,A[x := c]p A'} 

( FFe if {e = s y e = X ^ y) A FFA n 5 y/ 0 

{iv) {F, y : A)Fe = < {B\Ai^ B} if e = y A F<PA n 5 0 

[ 0 if FFA n 5 = 0 

(r;) ^a = a:Aj 

(vi) Fx = % 

Proof, {i) follows from Corollary El and the rules (77) and ( 7 ); (ii)- C follows 
from Lemma El and type correctness; {ii)- A follows from (A)-rule; {Hi)- C 
follows from opZ-generation; in order to prove {Hi)— A we use the (apZ)-rule, 
SPf3, Sfj and the ( 7 )-rule, or immediately if we have P 7 ; {iv) follows from 
Corollary M uar-generation, thinning, {weak)-rule and contexts substitution; 
{v) follows from Lemma and Corollary Q □ 

Theorem 33. If the system is normalizing, S is finite and SsA~^Py V 5 f 77 “^, 
{i) The operator T> is computable 
{ii) F \- a : A is decidable 

Proof, {ii): by type correctness and (/3)-rule: 

F\- a: A 4=^ A G 5 C P<Pa V (5 C F<PA y/ 0 A A/y G FT>a) 
and by (i) the predicate on the right is computable. In order to prove (i) we 
consider the lexicographical relation A defined for the pairs F ~\ a (i.e.: 
F'-\c^F-\bc F-\b A F,x:A-\b CHoy^ <>H x, etc.). We will 
prove {i) by induction on A in two phases: 

• Phase 1: For Ty class.- We use induction on ^ and inductive definition of 
Ty. From generation, uniqueness of domains, CR and Lemma E3 we have for 
typable terms in Ty class that 

F<P{bc) = {A'\IIx : C.A G F<Pb,A[x := c]j 3 A'} 

FfIxx : A.b) = Bx : Afs.{F,x : A)I>b 

Using induction on ^ and Lemma tVIt iv) we have the computability of <P for 
(typable) terms in T„ class. ^From Corollary and definition of d we obtain 
the computability of{s|FI-a:s} for a G Pn- 

• Phase 2: For Tg class.- We use induction on A and inductive definition of Tg. 
For base case (<?□) we apply Lemma (and [A — dec])] the inductive steps 
follow from Lemma EH* — iv). The only complication is the implication: 

Both {F,x : A)<Tb and F<TA computable 

{B G {F,x : A)<Ib \ FFA : {F,x : A)<PB : 7?. yf 0} computable 
Let A = F, X : A. By phase 1, if Z\ h i? : S 2 and B G Pn, the set AdB = {s|Z\ h 
B : s} is computable. But ii A A B : M then M ~ S 2 > or M ~ S 2 . Hence, if 
M G Pn then M G S. Summarizing: AT>B = {s|Z\ h H : s} is computable. □ 
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6 Related Work, Future Work, and Conclusions 

Some authors study the problem of decidability using syntax directed type sys- 
tems Ena while other authors use the typed abstract reduction concept iKimi . 
Our study is closer to the original PTS. Obviously, our results are theoretical, 
since it is quite hard to obtain a practical algorithm for type checking using 
normal forms. While the general properties of 'yPTS can be generalized when 
introducing if-types (dependent sums), it is difficult to obtain a condensing 
lemma keeping the partition proposed by 0. We are currently working on gen- 
eralizing these results, and studying the impact of the properties of weak-closure 
for y-reduction in the normalization method of Girard-Tait. 
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Appendix (Special Notation Used) 

Sets: 

f3n /3-normal forms 

FV(a) free variables of a 

FV(a : A) FV(o) U FV(A) 

Var(Z\) {x\, . . . ,x„}, for context A = x\ : Ai, ... ,Xn '■ A„ 

X € A X € Var(Z\), for A = xi : Ai, . . . , x„ : An 

FV(Z\) FV(Tli) U . . . U FV(t 1„), for Z\ = : Ai, . . . , 

□ :A {A|D:AgA} 

At : Af '. 'K. { S 3 I s G 7^, si G At, S 2 G Af } 

n-.Aj { A I □ : A' G A, A' = A V A' A : _ G A } 

At : Af '. 7Z.J I □ I s G 7^, si G At, S 2 G Af, S 3 = d V S 3 “^7 d : _ G A } 

Classes: 

Ty VC T„; b G Ty be, Xx : A.b G Ty 

Ts d, IIx : A.B G Ts', b G be, Xx : A.b G 

Operators: 

^ Ixi+i 

BA.B 
XA.b 
BA.Af 

d 

a 



right 7T-compatible closure of 7 : 

(Q,tt)g7 

Q^-yR Tlx:M.Q — >yUx:M.R 

reflexive and transitive closure of ->-.y 
= (=^ • • =^) 

— 

B ~ B' = 3A,n,a'[B =13 BA.a A B' =/s HA.n'] 

Properties: 

CR Church- Rosser: ^ p Q ^ p ■ /?«- 

j3 O A commutativity of (3 and 7 : C 

- predicate 7 -reduction in class T„: 

T„ -P 7 cGUAFFc:!!! AC C A F c : U 

- subject and weak subject 7 -reduction: 

SsA~^ A h c : d A c' c A h c' : d 

SgA A h c : d A c c! A h c' : d' 




xi : Ai, . . . jXi : Aj 

77x1 : Ai.77x2 : A 2 . ••• .Ilxn '■ An.B 

Axi : Ai.Xx2 : A 2 . ••• .Ax„ : A„.6 

{ 7TA.A I A G Af } 

composition: x R ■ R' y 4=^ 3z[xAz A 

rda = { s I 3d, A[a XA.d A A, A h d : s]} 

A9a = { s I 3A[A h a : TTA.s]} 
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Abstract. We propose an implementation of a functional logic language 
with parametric order sorted types by translating typed lazy narrowing 
into Prolog, and establishing a reasonable strategy of combination of data 
and type constraints solving. By means of this translation, we describe 
how types can be used at run-time to prune the search space of solutions 
of a goal. Moreover, we present type inference and checking compile-time 
tools for the language showing its usefulness for improving computations. 



1 Introduction 

The combination of different declarative (specially functional and logic) para- 
digms has been widely investigated during the last decade (see uni for a survey) 
and as a consequence, several well-known functional logic languages arose, using 
lazy narrowing as goal solving mechanism. More recently, the language CURRY 
iniTi integrates the most important features from functional, logic and con- 
current programming, providing a common platform for the research and the 
application of this kind of languages. 

One of the traditional topics of research in declarative paradigms has been the 
incorporation of type systems as an attempt to provide more structured readable 
compile-time type-safe programs and run-time optimizations. In the functional 
and the logic paradigm 'ill 711 ,^41^1 the combination of parametric 
types and order sorted hierarchies, so-called subtyping, has been adopted as a 
simple type system allowing to subdivide and parametrize the universe of dis- 
course. In particular, the logic paradigm has benefited from the type system 
by replacing syntactic unification for typed unification, which reduces the search 
space of solutions. 

In this paper we describe the implementation of a functional logic language 
with subtyping whose operational semantics is based on typed lazy narrowing 
(other implementations of typed logic languages are CH, based on Prolog, and 
0, based on a WAM extension with typed unification 0). Typed lazy narrowing 
was presented in PJ defines a rewriting calculus for solving data and type 

* This research has been partially supported by the Spanish National Projects TIC95- 
0433-C03-01 “CPD”and TIC98-0445-C03-02 “TREND”. 
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constraints, but it does not state any concrete strategy for combining these solv- 
ings. The interest of this combination is the use of type constraints for pruning 
the search space of data constraints. It implies to establish how to keep type in- 
formation and how to use it at run-time for solving lazy unification and looking 
for values for logic variables. 

As a part of the implementation of the language, the type analysis at compile- 
time improves computations in several aspects (avoiding useless computations, 
reducing the search space of logic variables). In the literature, the problem of 
type analysis in logic programming with subtyping has been studied for type 
inference in HIMII. The approaches based on type inference are focused in 
the inference of an environment defining one type for every data variable in 
every clause of a logic program. Following this line, 0 presents an algorithm 
solving the incompleteness of the previous algorithms however, it can 

not be adapted to our language because we use type conditions over expressions 
instead of type conditions over terms. 

The organization of the paper is as follows. Section 2 presents the syntax 
of our language, and the semantics by means of a calculus. The operational 
semantics is defined in Section 3 and specified in Prolog in Section 4; Section 5 
describes the details of the representation. Finally Section 6 studies type analysis. 



2 The Programming Language 



A polymorphic signature S consists of (1) a type specification containing a ranked 
set of polymorphic type constructors, partially ordered by <. For instance, 
the type specification opnat^nat < int, posint^zero < nat, negint^zero < opnat, 
elist(a)#nelist(a) < list(o;) defines subsort relations for integer numbers and para- 
metric lists. Following HS|, < is a lower quasi-lattice (and therefore upper quasi- 
lattice) defined for type constructors of the same arity. Types t,t' . are built 
up from type constructors {K, L, . . .) and type variables (a, /3, . . .), and they can 
be compared by extending < to types. For instance, nelist(elist(a)) < list(list(o!)) 
and elist(nat) < list(int). And (2) a set of type declarations for data constructors 
{CON) and functions {FUN). For instance, 0:zero, sue: nat posint, pred :opnat 
^ negint, [] :elist(a), [_|_] :a— > list(a)— > nelist(a), head : nelist(o:) — >a, tail : nelist(a) 
— > list(a). Data constructor declarations c : ri . . . — > tq with extra type vari- 

ables in To are completed by adding variables new arguments in the type dec- 
laration, needed to ensure the existence of the least type for terms na. Expres- 
sions e, e', . ■ • are built up from data constructor and function symbols and data 
variables {X,Y,...) and Terms t,t',... only uses data constructors and data 
variables. 

Programs consist of a polymorphic signature E and a set of non-overlapping 
conditional constructor based rewriting rules defining the behaviour of function 
symbols. For instance, filter : {a bool) ^ list(o:) ^ list(o:) and <; int ^ int -r 
bool are defined by the rules: 
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filter P []:=[]<= P : a ^ bool 

filter P [X|L] := [X|filter P L] (P X) == trueDP : a — » bool,X : a, L : list(a) 

filter P [X|L] filter P L (P X) == falseDP : a bool,X : q, L : list(a) 

< X Y := true X : opnat, Y : nat 

< X Y false X : posint, Y : opnat 

< X Y false X : zero, Y : negint 

< suc(X) suc(Y) :=< X Y X : nat, Y : nat 

< pred(X) pred(Y) :=< X Y X : opnat, Y : opnat 

Formally, a program rule has the form / fi . . := r 4= Cd^Ct, where the 

body r of the rule is an expression, and the rule condition, which establishes 
the applicability conditions, is composed of a set of data (Cd) and type (Ct) 
conditions. The elements of Cd are strict equalities I == r between expressions 
whereas the elements of Ct are type conditions e : tQ. Furthermore, (i) the 
tuple of terms is linear (i.e., no variable occurs more than once), 

and (ii) dvar(r) C dvar(ti . . .tn). Remark that (ii) does not exclude the ex- 
istence of extra variables in the rule condition, (i) and (ii) together with non- 
overlapping natural conditions ensure the functionality of definitions. A program 
rule is said static well-typed if {E,Ct) ^sw U '■ Ti,r ■. tq and there are aj such 
that (A, Ct) '^sw ■ o'jEj ■ for every Ij == Vj G Cd, where f : t\ . . .Tn 
To G FUN, where the relation (A, Ct) 'gsw e : t holds if e : r' S Ct and t' < t 
or e = h 6i .. . Cn, tq < t and (A, Ct) ^sw Ci : Ti, 1 < i < n, for an instance 
Ti . . . T„ ^ To of the type declaration of h G CON U FUN. 

Goals are as conditions of a well-typed rule. Answers consist of triples (V, 9, p), 
where V is an environment, 9 (resp. p) is a data (resp. type) substitution satis- 
fying the well-typedness property (A, V) \~sw X9 : r, for every X : t gV. For 
instance: 



X==filter (< Y)[0, pred(O), suc(suc(0)), suc(O), pred(pred(0))]DX: nelist(int), Y : nat 
has the following answers: 

==> X : nelist(nat), Y : cero, X = [0, suc(suc(0)), suc(O)], Y = 0 
==> X: nelist(posint), Y : posint, X = [suc(suc(0)), suc(O)], Y = suc(O) 

==> X: nelist(posint), Y : posint, X = [suc(suc(0))], Y = suc(suc(0)) 

The most general answers of a goal consist of the most general data and type 
substitutions and the greatest (resp. smallest) environments V w.r.t. the free 
(resp. bound) variables (see P for more details). 

The semantics of the language is presented by means of a Typed Rewriting 
Calculus (in short TRC) in which formulas p are derived from a program P 
and an environment V (denoted by {P,V) \~trc f)- In the soundness and 

^ Environments (exactly one type condition for every data variable) are not strong 
enough to guarantee the static well-typedness of rules in our language. For in- 
stance, the function second : nelist(o:) — > a defined by second X := head(tail X) 4= 
X : nelist(a), tail X : nelist(a) needs the condition tail X : nelist(a) to ensure the exis- 
tence of a second element in the list. 
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completeness of TRC w.r.t. the model semantics and typed lazy narrowing was 
proved. In the sequel we restrict the presentation to a first order fragment of 
the language, but it can be extended to higher order as in TRC provides 
meaning to the following formulas Lp\ non-strict equalities e > t -representing that 
the partial (i.e. possibly containing _L0) term t approximates the value of e (i.e. 
e is lazily unified to the partial term t)-, striet equalities e == e' -which will 
be derived by reducing e and e' to the same total (without _L) term- and as a 
novelty w.r.t. untyped calculi (e.g. |^) type eonditions e : a -which semantically 
define the type of an expression. TRC is composed of the rules belov|3. 



Bottom 



e ■. T A ■. T 



e\> _L (t) 



Reflexivity 



t[>t 



itt = X -.T gV or t = c:rG CON 



Decomposition 
Reduction I 



6l I> tl, . . . , Cn tn , tl . r"l, . . . , tfi . rn 



if n . . . Tn 



To IS an 



c(ei, . . . , e„) > c(ti, . . . ,tn) 
ei t> tl, . . . , 6n t> tn, Cp, Cr,r t> t if /(ti, . . . , := r <^=C'£PCt £ [R] 



instance of the type 
declaration of c £ CON 



f(ei,...,e„) \>t 



and t ^_L (t') 



(7 T 

strict Equality ^ — if t is total Type Assumption - 17 = — ii X :aGV 

e == e X : T 



Type Declaration 



6i : Tl, 



,ro <T 



h(ei, 



if Ti..Tn — > To is an instance of 
the declaration of hGCONcFUN 



Reduction II 



ei l> tl, 



, €n tn, Co^ Cr . T 



r-7 if /(tl, . . . , t„) := t^CePCt £ [R] 

J (^ei , . . . , 6n j '• T 

The novelty of the typed lazy calculus we present is the proof of type con- 
ditions about functional expressions. In order to derive /(e) : r there are two 
possibilities: to consult the type declaration of / or to use a program rule of /. 
For instance, from(O) : nelist(nat) can be proved directly from the type declara- 
tion of from : nat ^ nelist(nat). However, second(from(0)) : nat needs the reduc- 
tion of second (from (0)) to be proved. The lazy combination of both mechanisms 
is the so-called lazy type checking. Notice that lazy type checking is not nec- 
essarily a head normal form reduction; for instance, we can prove f(0) : nat, 
where f : nat int is defined by f(X) := g(X) 4= X : nat, from g(0) : nat, where 
g : nat ^ nat. 

TRC mixes in a coherent way equalities and type conditions, in the sense 
that it can be proved that the TRC -derivable (strict and non-strict) equalities are 
TRC -well-typed. An equality is TRC -well-typed if there exists a TRC-provable 
common type for both sides of the equality (see |2] for more details). 



3 A Typed Lazy Narrowing Calculus 

Operationally, typed lazy narrowing is expressed through a Typed Lazy Nar- 
rowing Calculus (TLNC) which consists of a set of transformation rules Tr 
transforming goals C »— C or producing failure. A TLNC-successful deriva- 
tion C»— *■* C is a sequence of applications of transformation rules such that 

^ To model the behaviour of non-strict or partial functions, we introduce in the signa- 
ture the data constructor T: a — > a denoting the undefined value. 

® [R] is the set of program rule instances of the form f{t)9 rO <= CodOCrdp. 
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C is in solved form (i.e. TLNC-irreducible) representing a TLNC-answer for C. 
A TLNC-answer (solution) (V,0,p) for a given goal C, denoted by Sol{C), cor- 
responds (via soundness and completeness results, cfr. P) to a TOC-proof of 
{V, V) \~trc C9p. During the transformation process, C can also contain state- 
ments e > t and t < r', whose meaning was (implicitly) given in TRC . Beside 
this, new statements are added to represent the answer (14, 0,p); so X = t and 
a = T are used in the construction of 9 and p respectively, and Y : ay is used 
for V0. Below, we summarize the transformation rule^. 

Rules for 

~i) /(e) ~ e,C»-^ ei > ti, . . . , e„ l> C, Co, Ct, r « e, A : Ox,C 

~2) X ~ t, X : ax,C»-^ X = t,X : ax,t : ax ,C[X/t] 

«s) A « c(e), A : ax,C*~^ X = c(A), A : ax,c{X) : ax, Ai « ei, . . . , X„ « Cn, 

X : Qjf ,C[A/c(A)], if A is not safe in c(e), and failure, otherwise 

~4) e > A, A : ax , > e : ax,C 

«s) A==A,C»-^C 

«e) c(e) « d{e'),C»-^ ei « e) . . . Cn ~ e(,,C, if c = d, and failure, otherwise 

When a program rule is applied using Narrowing («i rule), data Co and 
type Ct conditions of the rule are incorporated to the constraint system. Bind- 
ing («2 rule). Imitation (f^s rul^) and Eager variable elimination (~4 rule) 
differ from untyped versions in that lazy unification is substituted by typed lazy 
unification. When A « e is solved, e : ax is introduced in the constraint system 
in order to check that e and A have the same type (forcing the well-typedness 
of the equality). Identity («5 rule) and Decomposition (~e rule) remain as in 
untyped versions. Furthermore, in order to achieve laziness of the unification, it 
is supposed that a demand driven strategy m is followed, suspending the lazy 
unification of e > A meanwhile A does not demand the evaluation of e in the 
rule conditions. 

Any given implementation of these transformation rules must determine the 
order for solving data and type constraints. When a program rule is applied 
(«i rule), lazy unification of Ci \> U is solved before rule conditions Cd,Ct 
are solved. With respect to the demand driven strategy, instead of suspending 
e > A, A is bound to e and the effect of this substitution is propagated over 
the goal, achieving the sharing of e by considering a suspended form of e |3- In 
~ 2 ,~ 3 ,~ 4 , if A « e is solved, the pruning of the search space is achieved by 
checking then e : ax ■ 



We add a type variable ay to compute the type of every data variable Y in C. 

® In order to simplify the notation, we use « for representing both l> and ==. In 
TLNC we suppose that type declarations and program rules are used with fresh 
variables. In the case of program rules Ai : axi is introduced for every new data 
variable Ai (shortly A : a_y). 

® «3 needs occur check of A in c(e). Occur check in lazy unification differs from 
syntactic occur-check. Occur check in checks that A is not safe in c(e) (i.e. X is 
in c(e) in the scope of a function symbol) . 
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Rules for : 

:i) X : T,C»-^ ax < t,C 

'■2) h(e) : T, ei : n, ... ,6n : Tn, to < t,C, where h € CON U FUN 

■3) /(e) : ei l> ti, . . . , e„ l> Co,CT,r : t,X ■. ax,C 

According to the semantics of the language, type constraint solving may in- 
volve the application of a program rule (:s rule) when /(e) : r can not be checked 
by using the type declaration of / (:2 rule). Since syntactical conditions of ap- 
plicability can not be established, don’t know nondeterminism arises between \2 
and :3 rules. 

Any given implementation of these transformation rules should solve tq < t 
in -.2 rule as soon as it is incorporated to the goal because its failure will avoid the 
solving of 6i : Ti. Moreover, ax < r should be checked in :i rule to be compatible 
with other type constraints about ax. On other hand, to get laziness in type 
conditions solving, a lazy type checking strategy should be followed, by applying 
13 whenever -.2 is not successful. 

Rules for < 

<i) K{f) < L((j),C»— > Ti < cri, ...,r„< cr„,C, if K < L, and failure, otherwise 
<2) a < a,C»—> C 

<3) a < K(f),a < L{a),C»—y a < I{a),ai< n, . . . ,a„< r„,ai< <ti, . . . ,a„< cr„,C 
if there exists the infimum I for K and L, and failure, otherwise 
<4) a < L{f),C»-^ a — K{a), oi < n, . . . , On < r„, C [0/^(0)], where K < L 
<5) a < a = / 9 jC[a// 3 ] 

<e) a</3,C^a = K(a),/3 = L0),ai</3i,. . . ,a„</3„,C[a/K(a),/3/L(/3)],where K<L 
These rules for solving subtype conditions are similar to those presented in 
mm . Rules obtaining a supremum <3 and binding lower bound type variables 
<4, are defined in a similar way to their corresponding <3 and <4. There is don’t 
know nondeterminism in the choice of if < L in <4 rule and also between <5 
and <6 rules, when a < (3 'is solved; in the second case, to get completeness, 
there are two possibilities, either to bind a and (3 or to enumerate solutions for 
a and [3. 

Any given implementation of these rules should collect lower and upper 
bounds of every type variable (<3, <3 rules) in order to reduce the nonde- 
terminism of <4, <4 rules. The search space is also reduced if we suppose that 
C is closed under transitivity. 

4 Prolog Specification 

In this section we propose the implementation of the operational semantics of 
the language. To this end we translate every program P (resp. goal G) into a 
set of Prolog clauses PC(P) (resp. a Prolog goal PG{G)). The specification of 
the operational semantics PC{TLNG) together with PG{P), PG(G) and the 
control regime of Prolog yields a search tree which defines a set of solutions of 
the goal G w.r.t. the program P. 
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Data variables X are represented by Prolog terms including a Prolog variable 
NX, used as internal name, and the representation of the type variable ax - Type 
variables a are represented by Prolog terms containing the internal name of the 
type variable and their upper and lower bounds. We can suppose that every type 
variable a is constrained as (5\, . . . , f5i, K{a\, . . . , a„) < a < 71, . . . 7u, L{5i, . . . , 5„), 
where /3i,aj,^k,Si are type variables, and /3i, . K{ai, . . . (resp. 71, . . .7„, 
L{Si, . . . , 5n)) are the lower (resp. upper) bounds of a. K and L are the so-called 
current lower and upper bounds of a. They are obtained by computing infimum 
and supremum (< 3 , <3 rules) of type constructors. We call quasi-solved form to 
this representation and it will be guaranteed is consistent, that is, it defines at 
least a solution for a. 

When a type condition is solved, and new subtype constraints arise, new 
upper and lower bounds in the representations of the involved type variables 
are added. If the checking of the consistence of the new representation of some 
type variable fails, this produces backtracking. For instance, the new constraint 
not < j3 becomes inconsistent the representation a < (3, bool. 

Matching of type variables (< 4 , < 4 , < 5 , <e rules) must be delayed until it is 
sound. A matching will be sound when no new type constraints involving its 
type variables will appear. Note that unsound matchings lead to backtracking in 
later steps; for instance, binding a to nat when a < not, is unsound if a < opnat 
is required afterwards. When a program rule is applied, the fresh type variables 
of Ct can be soundly matched, if the incorporated data and type constraints 
have been solved. However, type variables ax of the fresh data variables of the 
rule can not be solved until X is solved. 



4.1 Solving a Goal 

A goal contains CdOCt, however in practice, data and type constraints can be 
written in any order (we write C instead Cd^Ct). In fact, it would be better 
to write them following an order allowing to prune the search space. There is a 
significantly improvement in the typed lazy unification if type conditions X : t 
in C are collected in advance in the representation of type variables ax', so, when 
e : ax is solved the constraint ax < t is checked in the representation of ax- 
In our specification we will suppose that goals are nested pairs {Constr, 

solve-goal(C) : —solvex:onditions{C),postprocessed{C, AX) , matching _free{AX) . 
solvejzonditions{C):-preprocessed{C, TVar), solve jccmstr{C) , matching^free{TVar). 
solve j:onstr {{Constr , Rest)) : —solvejzonstr{Constr), solve jzonstr {Rest) . 
solvejzonstr{L == R) : —equals{L, R). 
solvejzonstr{E : T) : —typejcond{E,T). 

^ Furthermore, in the goal solver we suppose a preprocess which collects in TVar, type 
variables occurring in the goal, and a postprocess which collects in AX, type variables 
ax of data variables X remaining free in the answer (remark that ax has not 
been bound because X is free). All these variables are matched via matching .free 
predicate. 
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4.2 Solving Data Constraints 

The predicate equals solves strict equalities e==e! . To this end, computes head 
normal forms of e and e! via /m/. This strategy corresponds with the application 
of rule until someone of « 2 , ~ 3 , rules can be applied, equals Jinf and 

equal-vars correspond with « 5 ,« 2 ,~ 3 ,~e rule applications. The failure cases 
(«6 rule for clashing of constructors, and «3 rule if occur check in equal-vars 
succeeds) are implemented as Prolog failure branches. 

equals{L, R) : — hnf{L, HL), hnf{R, HR), equals Jinf{HL, HR), 
equals Jinf{X, R) : —is jdatajvar{X),\, equal jvars{X, R). 
equals-hnf{L, X) : —isHata-var{X),\,equaljvars{X,L). 

equalsJinf{L, R) : —is-CJipply{L, c(Li, . . . , L„),Tc), isjzjapply{R, c{Ri, . . . , R„),Tc), 
equals{L\, R \), . . . , equals{L„, R„). 

% is-datajvar{E) succeeds if S is a data variable. 

% is-C-apply{E,c{Ei, . . . , En),T) (resp. is-CJipply{E,c{Ei, . . . ,E„),T) succeeds 
% if £1 represents an expression c(ei, . . . , e^) (resp. /(ei, . . . , Cn)), 

% where Ei represents ei and T represents the declared type of c (resp. /). 
equaEvars{X,Y) : —is-datajvar{Y),issamejdatajvar{X,Y),\. 
equal jvars{X,Y) : —is-datajvar(Y),\,bindjdata{X,Y). 

equaljvars{X, E) : —is^cjipply{E,c{Ei, . . . , En),T),not^occur{X, c{Ei , . . . , E„)), 

imitation^data{X , c{Xi , . . . , Xn)), equals{X\, Ei), . . . , equals{Xn, En). 
% is^amejdatajvar(X, Y) determines if X and Y represent the same data variable. 
hnf(E, H) : —is-datajvar(E), \,H = E. 

hnf(E, H) : -is-Cjipply{E,c{Ei, E„), Tc), H = c{Ei, E„). 
hnf{E, H) : -isJ.apply(E, /(Si, ...,E„),Tf), #f{Eu ...,E„,R), hnf{R, H). 
notjoccur{X,Y) : —isjdatajvar{Y),\,namejdatajvar{X, NX), 
namejdatajuar{Y, NY), NX —\= NY. 
notjoccur{X, E) : —is-C-apply{E, c(Si, . . . , E„),Tc ), !, 

notj3ccur(X, Si), . . . , notjoccur[X, En). 
notjoccur{X,E) : —is-f -apply{E , f {E\, . . . ,E„),Tf). 

% namejlatajvar{X, NX) returns the Prolog variable NX associated to X. 

#/ represents the Prolog predicate associated to /. Every program rule /(ti, . . . , 
tn) :=r <= C is translated to #f{Ei, . . . ,En,r) ■. -unify{Ei,ti), . . . ,unify{En,t„), 
solve ..conditions (C). This translation of a program rule differs from other transla- 
tions in the literature j2|. In effect, instead of the computation of the head normal 
form of /(e), the predicate computes a first approximation of /(e)(the body 
r of a rule) via the application of the rule. This is so because type constraints 
solving does not need head normal forms. 

In general, when a program rule is applied, type variables in Cp are collected 
and solved as if they were part of a goal. However the matching of the remain- 
ing type variables ax corresponding to fresh free variables X of the program 
rule is delayed until the binding of X. The lazy unification is specified as follows: 

unify{E,T) : —isjlatajvar{T),\,bindjdata{T,E). 
unify{E,T) : -hnf [E,H), unify Jmf{H,T). 
unifyJinf{E,T) : —is-datajvar{E),\,bind_data{E,T). 
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unify Jinf{E,T) : -is-Cjapply{E,c{Ei, , E„),Tc), isjSjapply{T,c{Ti, . . . ,T„),Tc), 
unify{Ei,Ti), ..., unify{E„,Tn). 

When e is lazily unified to t then we distinguish two cases. If t is a data variable, 
t is bound to e («2, ~4 rules), otherwise t is a data constructor term and it 
demands its head normal form («i, rules). «3 rule has not been considered 
in the case of non strict equalities, once the demand driven strategy has been 
substituted by sharing. For the sake of presentation we will consider suspended 
forms and sharing below; in this preliminary version, multiple copies will be 
eventually evaluated. Finally, binding and imitation rules are specified as follows: 

bindjdata{X, T):-typejuar{X, AX), infer(T, AX), namejdatajvar{X, NX), NX = T. 
imitation jlata[X,c{Xi, . . . , Xn)):-typejvar{X, AX),infer{c{Xi, . . . ,Xn),AX), 

name -data ju ar [X, N X), N X — c(Xi, . . . ,X„). 

% typejuar{X,AX) returns AX representing ax- 



4.3 Solving Type Constraints 

The predicate type-cond solves type conditions. The don’t know nondeterminism 
of :2 and :a is achieved through the backtracking of Prolog. 

typejeond{X,T) : —isjlata-var{X),\,typejuar{X,AX),addjzonstraints{AX <T). 
typejeond{E,T) : —isjzjapply{E,c{Ei, . . . ,E„),Ti . . .T„ ^ To ), !, 

lower jrnatching{To, T), solve-Constr{Ei ■. T\, . . . ,E„ : T„). 
typejeond{E, T) : -iaj japply{E, f{Ei, . . . , E„),Ti . . . T„ ^ To), 

lower jmatching{To, T), solve-Constr{Ei : Ti, . . . , E„ : T„). 
typewond[E ,T):-is-f -apply [E , f{Ei,. . ., E„),Tf), #f{Ei,. . ., E„, R),typewond[R,T). 

If h{e) : r is solved by consulting the type declaration (:2 rule) then low- 
er-matching (to,t) matches type variables of tq to the infimum of their up- 
per bounds in r. These matchings are sound because type variables of tq are 
bound to the greatest types, which guarantees soundness by monotonicity of 
the type declarations. Type variables of t (which possibly are elsewhere in the 
goal) are matched in a later step, when the solving of Cp finishes. Type vari- 
ables of Ui=i^,,,^„tvar{Ti)\tvar{To) will not be matched, since their matching is 
not relevant to the computation; only the consistence of their constraints will be 
checked. 

Type conditions e : ax obtained from solving « e are solved by binding 
ax to the least type of e through infer predicate. Infer is analogous to the 
type-cond predicate, but using matching predicate instead of lower -matching 
predicate. To get the more general solution for X in V, matching{r, t') matches 
type variables of t to the greatest types in r', as in lower -matching , and type 
variables of r' to the least types in t, that is, the supremum of their lower bounds 
in t' . 

Due to the lack of space we omit the specification of subtype constraints 
solving, including lower -matching, matching and matching-free predicates. 
Supposed given a quasi-solved form fh,. . . ,( 5 i, K{ai, . . . , a„) < a < 71, . . . 7«, 
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L(5i, . . . ,6„) for a type variable a, (1) lower jmatching{To, r) matches every type 
variable a of tq to his corresponding L{Si , . . . , 6„) (<4 rule), (2) matching{T, t') 
matches every type variable a of r to his corresponding L{5\, . . . ,5„) (<4 rule) 
and every type variable a of r' to his corresponding K(a\, . . . , a^) (<4 rule), and 
(3) matching-free gets more general solutions, matching every type variable a 
to its greatest type, either L(/3i, . . . , /?„) (<4 rule) or (<5 rule) or any maximal 
type w.r.t. < (<e rule). 

Whenever a type variable is matched (e.g. a = L(i5i, . . . , i5„))the binding 
is propagated to the upper and lower bounds, adding new constraints (/3i < 
L{6i, . . . ,Sn), OLj < 5j -as new upper bounds of f3i, Uj- and L{Si, . . . ,5„) < jk 
-as new lower bounds of 7 fc), checking the consistence of every involved type 
variable. 

5 Representation 

The representation of data variables X is defined as R[X] = dvar{NX, R[ax]) 
where NX is a, Prolog variable or eventually the representation of any data vari- 
able to which X has been bound. The representation of type variables a (sup- 
posed is in quasi-solved form) is defined as R[a\ = tvar{R\{!3\, . . . ,/3m}], R[K{ai, 

. . . , an)\,NA, i?[{ 7 i, . . . , 7 fc}], R[L{5i,. . . , <5„)]), where NA is a Prolog variable or 
eventually the representation of any data variable to which a has been bound. 

Upper and lower bound type variables are represented by partial lists of 
lists allowing to add new upper and lower bounds along the computation. More 
precisely, R[{l3i, . . = [Ui, . . . , 14, [R[l3i], ■ ■ . , R[fim]]\X s], where Xs is a Pro- 

log variable and Vi,...,U„ are lists of type variables. The current upper and 
lower bounds are represented by partial lists of non- variable types, so R[K{ai, 

. . . ,a„)] = [7i , . . . ,ln, K{R[ai], . . . , i?[a„])|Xs], where Xs is a Prolog variable and 
Ii, . . . ,In are non- variable types. 

The most important predicate which depends on the representation is add-- 
constraints. This predicate supports the representation of every type variable. 
Each time a new constraint involving a is added, the representation of a is 
modified; for instance, if the new constraint is of the form e < a and e is a type 
variable, e is added to {/3i, . . . ,Pm}, and if is of the form M(ti, . . . ,r„) < a, 
then the supremum S of K and M is computed and ^(Ai, . . . , A„), where Xi 
are new type variables, is added as new current lower bound for a, generating 
the new constraints ri < Ai, . . . , r„ < A„, a\ < Ai, . . . , < A„ (<3 rule) and 

checking that the involved type variables are consistent. Notice that, in the case 
of introducing e < a, simultaneously a is added as upper bound of e. This kind 
of circular references could produce problems when type variables a and e are 
mutually bound. We exploit the lack of occur check in Prolog, accepting cyclic 
terms in our representation. 

By simplicity we have substituted demand driven strategy for propagating 
substitutions over the goal. This produces as a side effect that multiple copies of 
expressions are evaluated in data and/or type conditions. As some kind of shar- 
ing would optimize this non desirable situation, we adopt (following ideas in 0 ) 
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a better representation of functional expressions and consider /(ei, . . . , e„, S), 
where S' is a Prolog variable if /(ei, . . . , e„) has not been evaluated, and other- 
wise it represents the evaluation state of /(ei, . . . , e„), that is, if /(ei, . . . , e„) 
has been evaluated to e' (not necessarily in head normal form) then S represents 
eh This differs from previous works P|, which focus on head normal forms and 
not on intermediate steps. 

6 Type Analysis 

Essentially, the idea of type analysis is to require a stronger static well-typedness 
condition to program rules and queries. The static well-typedness condition we 
have required so far allows to type program rules and goals straightforwardly; in 
effect, given /(t) :=r4=CDD0, where / : ti . . . r„ ^ tq G FUN, to get static well- 
typedness, it is enough to include in Ct the type conditions 1 1 : ti , . . . , , r : tq 

and, for every l==r G Cd, 1: a,r: a, where a is a new type variable (this is so 
even if we have Ct 0)- 

A stronger static well-typedness condition will allow to improve the execu- 
tion. In order to get a better search space reduction, Ct should only contain 
the essential type information to be checked and this information should be as 
precise as possible. For this reason, we are interested in simplifying Ct and ob- 
taining the closest type information for each program rule. Even more, we are 
interested in detecting goals or program rules leading to useless branches, either 
due to illtyped Cd’s or unsatisfiable Ct’s. 

6.1 Strong Static Well-Typedness 

In order to define a notion of strong static well-typedness, we need to require an 
additional condition to program rules. In the following, we suppose that for all 
/(e), program rule f{i):=r^CrPCT G [P] and environment V, {a/{V,V) \~trc 
/(e) : a} = {cr/(P, V) \~trc r\a}, whenever {V, V) \~trc ei \> U, l<i<n, and 
{V,V) \~trc Cd,Ct- We call this condition non- ambiguity w.r.t. types, likewise 
the condition of non-ambiguity w.r.t. data defined in |2|. Notice that for this 
set equality, the inclusion A derives from \-trc, while C is ensured whenever 
program rules are not referred to a particular case of the type declaration for 
f, and assuming that non-ambiguity w.r.t. data holds. Non-ambiguity w.r.t. 
types yields a natural property over expressions, namely that every expression 
Ti?C- well- typed w.r.t. V has a TRC-least type w.r.t. V. The TRC-least type 
a of e w.r.t. V satisfies {V, V) \~trc e : cr and a < t, for every t such that 
{V, V) \~trc e : t. From now on we associate a type variable Ug to represent the 
TRC-least type of e. 

Ct leads to unsuccessful branches when Ct is unsatisfiable. At compile- 
time it is possible to detect the unsatisfiability by checking if Ct contains type 
conditions which are not compatible w.r.t. the type declarations or if there is a 
subset of type conditions of an expression without infimum. 

We say Ct is compatible if there exists p such that Ct is compatible via p 
and Ct is compatible via p if the following conditions holds: 
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• every type condition h{e) : t £ Ct is compatible w.r.t. the type declarations 
via p, which means that h : ri . . . r„ ^ tq then {ei : ri, . . . , e„ : r„} is 
compatible via p and, \i h = c then tqp < rp, and if h = f then o;/(g)P is a 
lower bound of Top and rp 

• every subset {e : t\, . . . ,e : t„} C Ct is lower bound via p, that is, UeP < 

T\p^ ■ ■ ■ , TnP- 

On other hand, Ct should only contain the minimal type information for 
assuring the well-typedness. Therefore we require that Ct can not be simplified 
to a simpler or smaller set of type conditions. 

We will say that Ct is non-simplifiable if there not exist p and Clp such that 
Ct is simplifiable to C!p via p such that SoI{Cd,Ct) = SoI{Cd, O^), and Ct is 
simplifiable to C'j, via p if some of the following conditions holds: 

• there exists a type condition h{e ) : r G Ct simplifiable via p to {ci : ti, . . . , e„ : 
T„}, that is, T\ . . .Tn ^ To £ [h], To < Tp and C'j, = (CT\{h{e) : t}) U {ci : 

Ti , . . . , Cn • Tn\ 

• there exists a subset {e:ri, . . . ,e:r„} C Ct simplifiable via p to e:r, that is, 
T < Tip, ...,T„p and Clp = (C'T\{e:ri, . . . ,e:r„}) U {e:r}. 

Ct is simplifiable if either (1) it contains a type condition simplifiable to their 
arguments, for some instance of the type declaration, or (2) it contains a set of 
type conditions for some expression and this set can be simplified to a unique 
type condition, for some lower bound. However, in order to preserve soundness, 
the simplification of Ct have to consider that the applicability conditions of a 
program rule and the type constraints of a goal depends on Ct, therefore Ct 
can be simplified only if the simplification guarantees the semantic equivalence 
of Cd, Ct and CD,Clp. 

With respect to Cd, we can also consider a stronger well-typedness condition 
for equalities I == r. The static well-typedness condition required to find a 
common type for both sides of every equality I == r of Cd- Now, we strength 
this condition by requiring the existence of a common minimal type for I and r 
deduced from Ct- Notice that at compile-time we only can refer to the set of 
minimal types of I and r w.r.t. Ct (every Ct defines a finite set of more general 
minimal types for every well-typed expression in Ct) and not to a unique least 
type. These minimal types can be seen as approximations at compile-time to the 
TRC-\easi type. Given (V,6,p) £ SoI{Cd,Ct) and an expression e, one of the 
minimal types will be an upper bound of the T RC-least type of e9 w.r.t. V. 

We will say that ct is a minimal type of e in Ct if {S, Ct) ^sw e : ct and 
there not exist r such that t < a, t a and {S, Ct) ^sw e : r. 

We will say that Cd is strongly well-typed w.r.t. Ct if for every l==r £ Cd 
there is at least a common minimal type ct of I and r w.r.t. Ct, and for every ct, 
ct' minimal types of I and r w.r.t. Ct respectively, either ct = ct' or there is no 
infimum of ct and ct'. 

This notion of strong well-typedness of Cd is based on the existence of T RC- 
least type for expressions and terms. Indeed if 16 t> t and r9 > t, for a given 
{V,9,p) £ SoI{Cd,Ct), then some common minimal type of I and r w.r.t. Ct 
is an upper bound of the T RC-least type of t w.r.t. V. 
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Combining all the required conditions, we will say that f{t) := r 4= Cd^Ct 
is strongly static well-typed if it is static well-typed w.r.t. Ct, Ct is compatible 
and non-simplifiable and Co is strongly well-typed w.r.t. Ct- 

Examples 

(1) Cd = {X == Y,Y == head{tail([Q,Z]))} is strongly well-typed w.r.t. 
Ct = {X : int,Y : int,tail{[0, Z]) : nelist{int)} . In effect, tail{[0, Z]) : nelist{int) is 
compatible with tail : list{a) list{a), but can not be simplified to Z:int. 

(2) Cd = {X ==head{[0,suc{Y)]),Z —= second{[X,suc{X)])} is strongly well- 
typed w.r.t. Ct = {X : nat, Y : nat, Z : nat}, but not w.r.t. Ct = {X : int, Y : nat, Z : 
int}, because the unique minimal type of head{[0,suc(Y)]) w.r.t. Ct is nat, the 
unique minimal type of X w.r.t. Ct is int, nat yf int and they have infimum. 

Two aspects must be considered yet. The first one is how to know if a given 
Ct is simplifiable or not to a Cj- in such a way that SoI{Cd, Ct) = SoI{Cd,Ct). 
For instance, if Cd = {Z == head{[X,Y])} then Ct = {Z : nat, head{[X ,Y]) :nat} 
can not be simplified to Ct = {Z : nat,X : nat,Y : nat} because SoI{Cd,Ct) yf 
Sol{CD,C'rp). As we will see, to guarantee this semantic equivalence it will be 
needed to consider simplifications w.r.t. an upper more general matching p. 

The second aspect to be specified is how to compute minimal types w.r.t. a 
given Ct- The set of minimal types of an expression w.r.t. Ct corresponds with 
the smallest types which are compatible w.r.t. the type declarations, therefore 
they can be computed using lower more general matchings p- For instance, nat is 
the smallest type such that head{[0, smc(F)]) is compatible w.r.t. type declarations 
and Ct = {Y :nat}. 



6.2 Matching Algorithms 

Type Analysis is based on the subtype constraint matching that can be deduced 
from Ct- Given Ct, type analysis transforms Ct into a set of type constraints 
Rct as follows. Starting with Rct := Ct, repeat the following process until no 
rule can be applied: 

• for every X :a & Rcj- and a ^ ax, Rct •= o:x < cr} 

• for every c(e) : (T e Rc^, Rct ■= (i?CT\{c(e) : cr})U{ei : n, . . . , e„ :t„, tq < a}, 
where ti . . . t„ ^ tq is a fresh variant of the type declaration of c 

• for every /(e) : a G Rc^ and a ^ a/(g), Rct '■= i.RcT\{fid) : t}) U {ei : 
Ti, . . . , e„ : r„, a/(g) < tq, a/(g) < cr, /(e) : a/(g)}, where n . . . r„ ^ tq is a 
fresh variant of the type declaration of /. 

Ct is transformed in this way into a set Rc^ which includes: (1) a set Cqt of 
type conditions of the form e : Oe, for data variables and functional expressions 
, and (2) subtype constraints Sqt of the form a < a'- Notice that SoI(Rct) = 
SoI(Ct) can be proved from the semantics of type conditions. 

Once Rct{= Sct U Cct) is obtained, the type analysis studies the upper 
and lower more general matchings of Sct- Given a set of subtype constraints 
C = {ti < (Ti,...,r„ < <Jn}, we say that p is a type matching of C (writ- 
ten p G TMatch{C)) if Tip < a\p, - . - ,TnP < <JnP- We say that {pi,i G /} 
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is a complete set of upper (resp. lower) more general matchings of C if pi G 
TMatch{C), for all i G I, and for each p G TMatch{C) there exists i G I 
and a type substitution A such that p < piX (resp. piX < p). It can be proved 
that if TMatch{C) 0 then there exists a complete and finite set of upper 
(resp. lower) more general matchings for C. For instance, a complete set of 
upper more general matchings of C = {a < Hst{f3) , nelist{a) < 7, /3 < nat} 
only contains p = {f3/nat,a/list{nat),'y/list{list{int))} and a complete set of 
lower more general matchings is {pi, p 2 , ps, pi} where pi = {{5! zero, a/elist{zero), 
y /nelist{elist{zero))}, p 2 = {P/posint, a / elistijposint) , yjnelist {elist (posint))}, 
P 3 = {Pjzero, aj nelist(zero), y/nelist{nelist{zero))} and p4 = {P/posint, a jnelist 
(posint) , y / nelist(nelist(posint )) } . 

The following algorithm, written as transformation rules of the form (C, p) — > 
(C , p'), computes the matchings p defining a complete set of upper more general 
matchings for a set of subtype constraints C. To this end, the transformation 
process starts with (C, 0) and ends with (0,p), if no failure arises, by applying 
the following rules: 

• (DEC): ({K(f) < L(a)} U C, p) ^ ({n < ai, . . . , r„ < cr„} U C, p) 

% K < L, and failure, otherwise 

• (IMI I): ({a<r, L(a)<P}U C, p) ({o^r, L(p)<P,ai<Pi , . . . , <t„ < /3„} U C, p) 
% a occurs in L(a) and P are new type variables 

• (IMI II): ({a< A'(r),r</3}UC, p) ^ {{a<K(a),T<P, ai <n, . . . , q„ ^TnlUC, p) 
% P occurs in K(f) and a are new type variables 

• (INF): ({a < Kpfi), 1 < i < m} U C,p) ({aj < Tij/1 <i<m,l<j<n}U 
C, p)[a/I(a)] 

% a are new type variables, a only occurs in C in constraints a < P and there 
exists the infimum / of K\, . . . , Km, and failure, otherwise 

• (MAX): ({Ki(fi) < a,l < i < m}uC,p) —> ({nj < ai/1 <i<m,l<j<n}U 
C,p)[a/M(d)] 

% a are new type variables, a only occurs in C in constraints P < a and there 
exists a maximal M such that M > Ki , . . . , Km, and failure, otherwise 

. (VAR I): ({a<P)yjC,p) ^ (C,p)[P/a\ 

• (VAR II): ({a<Pi,...,a<P^}^C,p) ^ (C, p)[a//(d), di/Mi(a), . . . , d»/M„(a)] 
% d are new type variables, Mj/n are maximals, I is the infimum (I yf Mj, for 
some j) of Ml, . . . , and a does not occur in C 

(DEC), (IMI I) and (IMI II) collect lower and upper bounds of every type 
variable. Then (INF) and (MAX) are applied to match type variables to as great 
as possible types. (MAX) provides different upper more general matchings by 
binding to maximal elements. When no lower and upper non- variable bounds can 
be found, (VAR I) matches to type variables and (VAR II) matches to maximal 
types. We exploit the non determinism of these transformation rules ((MAX), 
(VAR I), (VAR II)), computing a set of upper more general matchings. We write 
UGM(C) = {p/(C,9)^((d,p)}. 

We have proved that UGM (G) is a complete set of upper more general match- 
ings of G. There is a similar algorithm to compute a complete set LGM(G) of 
lower more general matchings of C, taking infima instead of suprema and mini- 
mal types instead of maximal types. Our algorithms are based in the algorithm 
of Hill and Topor jl bj to compute the more general infimum of a set of types. 
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6.3 Inferring a Ct 

The type analysis we present is expressed as transformation rules Ct — *■ C^ 
of sets of type conditions. Given a program rule f{t) := r 4= Cd^Ct {Ct 
establishes the applicability conditions of the rule) we start with Ct for which 
the rule is statically well-typed and we finish either with a C^ w.r.t. which the 
rule is strongly well-typed, or with a failure, meaning that the program rule is 
not strongly typable w.r.t. Ct- The transformation rules are the following: 

— (SWE) Strong Well-Typedness of Equalities 

Ct ^swe {/ : r, r : t} U Ct 

% I r e Cd, a, P and 7 are new type variables, CS = LGM{S ,i-a,-r-a-}yjCT 
l{/ 3 , 7 ,a})i there exists t = infimum{Pp,^p), for all p £ CS, and failure when CS 
is empty or there not exist infimum for /3p, 7 P, for all p £ CS. 

— (SCTC) Simplification and Compatibility of Type Conditions 

{e : r} U Ct ^sctCi Ct U Ct 

% CS = UGM{S{e-.T} u ScT\tvar(Ri^,^y)), there is p = {ajapi,pi £ CS,a £ 
tvar{Cif,:T-y)}, and failure, when CS is empty; moreover if e = /(e), Q.f(e)P is 
an instance of the range of /, C't = G{e:^}P 

{e : ri, . . . , e : r„} U Ct ^sctC 2 {e : t} U Ct 

C S C/Gitf ((cTe Si ri , . . . , Oe S '^n } U S ^ _ . ,e:Tj^yuO'j- 

aeP = r, for all p £ CS, and failure, when CS is empty. 

Since type variables can occur in different type conditions, the soundness in 
the matching of type variables is preserved if we collect in Sct{C Rct)i the 
subtype constraints for them; for instance, in (SWE), the subtypes constraints 
for a, /3, 7 . 

(SWE) rule includes in Ct type conditions I : r and r : t, for every I == 
t£Cd- The type conditions I : a, r : a are used to force the well-typedness of 
I == r, while the type conditions I : f3,r : ^ are used to compute in f3 (resp. 7 ) 
minimal types of I (resp. r). There are two possible cases of failure: either I and 
r are ill- typed {CS is empty) or I and r have no compatible types (no infimum 
for minimal types). In both cases I == r is not strongly typable. When there 
exist two or more infima, the type oil == r can not be precise and Ct does not 
change (see Example (3) below). 

(SCTCi) rule first computes a complete set CS” of upper more general match- 
ings of 5'{e:T> U ScT\tvar(Ry^.^y)- Then 6 : T is simplifiable to C{e:T>P when 
there exists an extension p of CS over the type variables of C'{e:r}- If e is a 
functional expression, then the type condition can be simplified whenever p is 
matched to the range of the type declaration of /. (SCTC2) rule simplifies a 
set of type conditions of an expression by computing the more general infimum. 
To this end, it computes a complete set C'S' of upper more general matchings 
of {cXe S Rly ■ ■ ■ 5 O^e — Ti} U *^{e:Ti,...,e:T„}UC'T lui=i,, ) ■ The Set of type 
conditions is simplifiable if (/S' defines a more general infimum for ae- If CS, 
either in (SCTCi) or in (SCTC2) results the empty set, we can conclude that Ct 
is not compatible. 
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Examples 

(1) Let Cd = {X ==Y,Y ==head{tail{[0, Z]))}, (SWE) rule obtains Ct = {X : 
int,Y : int, head{tail{[Q,Z]))\int}, then (SCTCi) simplifies head{tail{[0, Z\)) -Ant to 
tail{\Q, Z\) : nelist{int), and therefore Ct = {X : int, Y : int,tail{[0, Z]) : nelist{int)} 
is obtained. 

(2) Let Cd = {X == head{[0, suc{Y)]), Z == second{[X, suc{X)])}, (SWE) ob- 
tains Ct = {X : nat, /jead([0, sttc(y)]) : nat, Z : nat, second{[X, sttc(X)]) : nat}. (SCTCi) 
simplifies to Ct = {X : nat, Y : nat, Z : nat}. 

(3) Let Cd = {X == head{[A,Y])} and Ct = {X : a,head{[A,Y]) : a}, where 
A : a, a < b, a < c (without supremum for b and c). In this case, it is not possible 
to type X == head{[A,Y]) because we deduce that Y : b or Y : c and therefore 
X : b or X : c. Notice that, the strong well-typedness condition is ensured by 
considering Ct = {X :a,head{[A,Y]):a}. 

Theorem (Strong Well-Typedness) 

Given a program rule f(t) := r 4= CdDCt-' 

(1) If CT^*C'rp and Clp is irreducible by the rules, then f(J) ■.= r^CD^C'rp is 
strongly well-typed and SoI{Cd,Ct) = Sol{CD,Clp) 

(2) If Ct failure then f(J):=r <1= C^DCt is not strongly typable w.r.t. Ct- 

7 Conclusions and Future Work 

In this paper we have presented an implementation of a functional logic language 
with subtyping. We have shown how types can be used in typed lazy narrowing 
to prune the search space of solutions, avoiding otherwise necessary functional 
reductions. We have also studied how type analysis at compile-time can be used 
for improving computations. Most of the optimizations and ideas we have pre- 
sented have been tested in a prototype realized in SICSTUS Prolog. As future 
work we plan to improve the implementation, by considering more refined trans- 
lations to Prolog, following ideas from HHE]. 

Acknowledgments. I would like to thank to Antonio Gavilanes and Ana Gil 
for their comments to this work. 
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Abstract. In this paper we propose an abstract version of the denota- 
tional semantics defined in jS). This leads to a precise goal-independent 
abstract interpretation of Prolog programs. We deal with the control 
rules of Prolog and the cut operator. Moreover, we get a simple denota- 
tion for negation as finite failure. The abstract analysis is proposed both 
for computed answers analysis and for call patterns analysis. In both 
cases the abstract semantics is finitely computable. 



Keywords: Abstract interpretation, static analysis, logic programming. 



1 Introduction 

In |S| we proposed a denotational semantics which models the set of computed 
answers of a Prolog interpreter in a goal-independent fashion. In this paper, we 
show how that semantics can be used as an effective base for program analysis. 
Handling Prolog control features allows us to get a more precise analysis. In 
particular our approach deals with the leftmost selection rule, the depth first 
search rule and the cut operator. Moreover, it is a simple task to “implement” 
the Prolog not/ 1 operator once we have the cut operator. Hence even negation as 
finite failure is modeled denotationally. Similarly we can implement some other 
built-in’s like if_then/2 and if _then_else/3. 

A previous approach to the abstract interpretation of logic programs with 
control rules of Prolog and the cut operator was presented in |S|. The main 
difference between our approach and theirs is that we delay the decision diver- 
gence/no divergence or cut/no cut to the actual evaluation of a denotation in a 
given constraint store. They take instead this decision just when they compose 
denotations. It is not clear how their approach could lead to a goal-independent 
semantics. In any case their approach makes impossible to compute the denota- 
tions of the most general goals only, like we do in this paper. This is important 
because it leads to a simpler and more efficient computation of the semantics. 

The problems arising in the abstract interpretation framework, when we deal 
with control, were already tackled in 0E|. We will give a simple and effective 
solution to the problem of “downward approximation” of constraints. Another 
problem with w was that an abstract analysis built on that semantics was not 
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necessarily finite even when defined on a finite abstract domain. This important 
problem is solved in the present work (see section 14.211 . 

Another approach strongly related to ours is the one described in where 
a semantics for logic programs with Prolog control was obtained by “compiling” 
a Prolog program into an ask/tell language, so that the semantics of the Prolog 
program can be viewed as the semantics of a constraint logic program. The main 
problem with P is that the transformation uses constraints like “the execution 
of this goal terminates”, whose abstraction is not trivial. The problem related 
to the abstraction of these goals, in a finite abstract analysis framework, is the 
same as the problem of finding an (upward or downward) approximation of SLD 
trees with control faced in P , or even as the problem of the approximation of the 
consistency of constraints faced in HIEj. Up to now there was no sensible proposal 
for control approximation. Hence all these approaches are still theoretical rather 
than practical. In this paper we follow the approach of p. However we use a 
new kind of constraints, in particular we use “observability” constraints which 
check whether they are consistent with the constraint store. Moreover, we suggest 
how to handle these constraints in the abstract case, and we propose a general 
approach for approximating them, by keeping only the information which is 
relevant from the abstract point of view, rather than too concrete information 
like termination. 

In order to better understand the ideas underlying the following sections, 
consider this Prolog program: 

select_vars_in_term(X, [X]) : — var(X), !. 

select_vars_in_term(A, []) : — atom(A), !. 

select_vars_in_term(F, L) : — F = ..[_ Name|Args], 
select_vars_in_list(Args, L). 

select_vars_in_list([], []). 

select_vars_in_list([H|T], [Hl|Tl]) : — select_vars_in_term(H, Hi), 
select_vars_in_list(T, Tl). 

Assume we know from some global analysis that the procedure select. 
vars_in_term is always called with its second argument free. If we take into 
account the control information, it is easy to guess that in the third clause F 
can never be a free variable nor an atom. This would allow us to optimize the 
compilation of the procedure. 

Roughly speaking, dealing with control allows us to collect not only the in- 
formation related to the successful execution of a branch of computation, but 
even that related to the simple observability of it, which should not be hidden 
by divergence or cut; we will not try to guess when a branch of a computation 
is observable or not (this would lead to control approximation) but merely what 
abstract information can we derive from the observability of a branch of com- 
putation. We will try to solve the problem: “if I arrived here, what do I know?” 
and not the problem “when do I arrive here?” . Hence we will add to any con- 
straint, in the following called “kernel” constraint, an observability condition, 
in the form of an “observability” constraint, which is to be satisfied in order to 
make the kernel constraint observable. 
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2 Preliminaries 

We assume the reader familiar with basic algebraic structures [S]. A sequence is 
an ordered collection of elements with repetitions. We will write S£Q{£) for the 
set of sequences of elements oi £. :: denotes sequence concatenation. 

Abstract interpretation Hi is a technique which allows us to statically ( “at 
compile time” ) determine some dynamic ( “at run time” ) properties of a program. 
The idea is that of executing the program on an “abstract” domain, where every 
element represents a set of elements of the “concrete” domain. This technique 
is widely used in computer science both for reasoning about the relationships 
between different semantics and for program analysis. 

Note that in the program analysis case the abstract domain should be cho- 
sen with the aim of making the computation effective. The abstraction (and 
related approximation) is needed because we know from Rice’s theorem that 
most “interesting” properties of programs are not effectively computable. 

One way of formalizing abstract interpretation is by means of Galois connec- 
tions 

Definition 1. A Galois connection between the posets {P,Q) and is a 

pair {a, 7) of total maps such that the following condition holds: 

Vp e P,p“ e : a{p) p“ if and only if p G 7(p“) . 
a and 7 are the abstraction and the concretization maps of the connection. 

We know from a theorem in ^ that, given two complete lattices (P, G) 
and (P“,E“), if (a, 7) is a Galois connection between them, (j> : P ^ P and 
(jf. - pa ^ pa monotonic operators and q;(T) = T“, then the local 

correctness condition implies the global one, i.e.: 

— a o (f) G°‘ o a implies a{lfp{cj>)) lfp{cj>°‘), 

— a o (j) = (j)°- o a implies a{lfp{(j))) = lfp{(f)°‘). 

We recall that two posets can be extended to complete lattices in such a way 
that any monotonic map a between them can be extended to a continuous map 
a between their extensions. The same extension leads to the following result 
which will allow us to get simpler proofs. 

Proposition 1. Let (P, E) and (P“,E“) be two posets and T \ F ^ F,T°^ : 
F°“ I— > P“ and a : F P“ be three monotonic maps such that a(T) = T“ and 
a o T T“ o a. Then we can extend F and P“ to two completeAattices _F and 
F°- rf^ectiuely and a, T and T“ to continuous maps a : F P“, T : F 1-^ F 
and T°‘ : P“ 1— > P“ such that ( 5 , cx~^) is a Galois connection between F and P“, 
a(T) = T“ and the correctness condition a o T G°- T°- o a holds. 

The relevance of the above proposition is that we do not need to be concerned 
with the infinite elements of the two lattices, neither we have to define the 
semantic operators and the abstraction map on them. Roughly speaking,^^ 
consists of the finite elements of F and P“ consists of the finite elements of P“. 
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In the following we will use an “abstract” syntax for Prolog programs, which 
simplifies the semantic operators. The translation from Prolog into our syntax 
is straightforward and can be understood by noting that the Prolog clause: 
q(X) : -p(X) , ! , s(X) . is translated into q(a;) : — cut(p(a:)) and s(x).. Finally, our 
abstract syntax assumes all predicates to be unary. This constraint simplifies 
the definition of the semantics without loss of generality. The extension of that 
definition to the general case is anyway straightforward. 

A clause will be of the form p(a:) : — Gi or • • • or G„., where Gi, . . . , G„ are 
goals, defined by the grammar: G ::= c|G and Gjexists a;.G|cut(G), where c is 
a constraint and a; is a variable symbol. 

3 The Denotational Semantics 

We recall here the basic definitions of the denotational semantics defined in |S|, 
where further details and explanations can be found. 

Definition 2. Given a program P, its immediate consequence operator is de- 
fined as Tp(/)(p) = 33a;(|<5a,a;] i(£|B]/)), where p(x) : —B. is the definition of 

p in P, I is an interpretation, i.e., a map that tells us what we already know 
about the semantics of the more general goals, a is a distinguished variable (not 
present in programs) and 



The semantics of a program P is defined as: Sp = 

We now define the semantic domain. The lattice of basic constraints could be 
thought of as the domain of analysis, for instance equations over rational trees, 
though more abstract “domains” could be used (and they actually will in section 
0. The diagonal elements 5x,y represent unification of x and y. For instance, in 
the case of rational trees, they represent the equation x = y. They are needed 
to perform parameter passing. The cylindrification operators 3^ are used to 
remove from a constraint all the information related to x, and are a simple way 
for avoiding all renaming problems. 

Observability constraints are a new concept; roughly speaking, an observ- 
ability constraint o is satisfied in a given constraint store S if and only if it is 
consistent with it, i.e., if and only if S' A o is satisfiable. Note that we do not 
require o to be entailed by S. From an alternative point of view, we can look at 
observability constraints as constraints which give us some information on the 
constraint store. If o is satisfied in S then S is consistent with o. This remark 
will be useful when we will consider abstract observability constraints. 

In the following, we will consider pairs consisting of a “kernel” constraints 
and its “observability” part. A kernel constraint k is observable in a given con- 
straint store if and only if its observability part o is satisfied. The kernel part 



f |c]/ = |c] 

f|Gi or G 2 ]/ = £IGi]J©£|G 2 l/ 
£Icut(G)]/=!(£[Gl/) 



= 3a([<5x.a] © /(P)) 
£|exists x.Gjl = IG]/) . 



f [Gi and G 2 ]/ = £[Gi]J © £[G 2 l/ 
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represents the contribution of the constraint to the constraint store in the case 
the constraint is observable. 

Definition 3. A basic constraint is an element of a lattice (,8, <, V, A, true, 
false), where A is the greatest lower hound operator, V is the least upper hound 
operator, true is the top of the lattice and false is the bottom of the lattice. 
We assume there exist elements Sx,y G B: for instance Sx,y represents the con- 
straint identifying the variables x and y. Moreover, we assume there is a family 
of monotonic operators 3x on the set of constraints, representing the restriction 
of a constraint obtained by hiding all the information related to the variable x. 

The set of kernel constraints is defined as 1C = B. 

The set O of observability constraints is defined as the least set contain- 
ing basic constraints and closed w.r.t. the binary operations □ ans U and the 
unary operation We assume an injection map from kernel constraints into 
observability constraints defined as k rxobs = k. This map will have maximum 
precedence. Hence, oFIfc oc o5s will mean on(fc ocobs). Cylindrification is defined 
on observability constraints as the elementwise extension of cylindrification on 
kernel constraints: if o = k oco6s then 3xO = 3xk. Otherwise: 



3x{0l n O 2 ) =3xOi n 3x02 3x(0i U O 2 ) =3x01 U 3x02 

3x( o) = 3x0 . 

A conditional convergent constraint (convergent constraint for short) is an 
element of C = O x 1C. o -\- k will denote (o,k) G C, where o is the observability 
part and k is the kernel part of the constraint. We will use the usual notation 
for field selection: (o + k)i = o and (o + k )2 = k. 

We define the following sets of constraints: 

— C = { 0 + k\o-\- k G C} (divergent constraints); 

— C = | o + k \o + k G C) (open convergent constraints); 

— C = | o + k \o + k G C} (open internal constraints). 

A constraint is an element of the set € = CUCUCUC. The module operator 
I • I : £ I— > C is defined as: \o -\- k\ = o -\- k, \o -\- k\ = o -\- k, \ o + k \ = o -\- k and 
j o + k \ = o-\- k. 

Given a goal G, con(G) is the constraint part of G, i.e., the kernel constraint 
already computed by G (up to the first procedure call in G) in a left to right 
scanning of the goal. Formally (we assume c !\ c' = c !\ d ) 

con(c) =c con(p(x)) =true 

con(Gi and G 2 ) =con(Gi) A con(G 2 ) con(exists x.G) =3a;Con(G) 
con(cut(G)) =con(G) . 

Note that con(G) G C if and only if G contains a procedure call, and con(G) G C 
if and only if it does not. 
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Definition 4. The usual notion of satisfiability is defined on kernel constraints. 
A kernel constraint k is satisfiable in a constraint store S and in a structure 
interpretation J, if and only if there exists an environment p such that |=3 (SAk). 

Satisfiability for observability constraints is different in that we allow different 
environments to be used in different proofs. 

— if o G B, then o is satisfiable in S and J, if and only if o is satisfiable in S 
and J as a kernel constraint; 

— oi n 02 is satisfiable in S and J, if and only if both oi and 02 are satisfiable 
in S and J; 

— oi U 02 is satisfiable in S and J, if and only if oi or 02 is satisfiable in S and 

3 ; 

— —o is satisfiable in S and J, if and only if o is not satisfiable in S and 3 . 



Definition 5. The lifting of an observability constraint with respect to a kernel 
constraint is defined as follows: 

k • k' =k A k' A: • (oi n 02) ={k • oi) □ (fc • 02) 

k • (oi U 02) ={k • oi) U (fc • 02) k • —o = — {k • o) . 

A preorder on the set of observability constraints is defined as 0i < 02 if 
and only if, for all constraint stores S', if S' • oi is satisfiable in 0 and 3 , then 
S • 02 is satisfiable in 0 and 3 . Obviously < is reflexive and transitive. However, 
it is not antisymmetric. Hence we define an equivalence relation ~, such that 
oi ~ 02, if and only if oi < 02 and 02 < oi. In such a way, the extension of ~ 
on ^-equivalence classes is an ordering relation. In the following, we will always 
consider an observability constraint as its equivalence class, and therefore = will 
denote ~. 

Given a sequence of constraints s, we define its divergence condition as <5(s) = 
y o n fc oc obs, its cut condition as k(s) = [J (o □ fc oc obs) U |J (o □ A: oc 

il+fe6s o+k &s o+fc gs 

obs), its block condition as ( 3 {s) = S(s) U k(s) and its convergence condition as 
c(s) = U (o n A: oc 06s) U [J (on A: (X 06s). 

o+kGs o+kGs 

We write SS for the set of sequences of constraints. 

Definition 6. The instantiation of a sequence with an observability constraint is 
defined as o- {) = () and o- {vi, . . . , v„) = {o ■ vi, . . . ,0 • u„), where o- {o' + k') = 
(on o' -I- k'), o ■ ( o' + k' ) = ( o n o' -I- k' ), o ■ ( o' -I- k' ) = ( o FI o' -|- k' ) and o ■ 
(o' -I- k') = (o n o' -I- k') . 

Definition 7. The instantiation of a sequence with a kernel constraint is defined 
as k o {) = {) and k o (vi, . . . , u„) = {k ovi, . . . ,ko v„), where k o (o' + k') = 

(A: • o' -I- A: A k'), k o ( o' -I- k') = ( fc • o' -I- fc A fc' ), fc o ( o' -|- fc' ) = ( k» o' + k A fc' ) 
and k o (o' + k') = (k • o' + k A fc') . 
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The semantical operators are defined as follows: 

|c] = {true (xobs + c) , si 0 S 2 = si :: — /3(si) • S 2 . 

!(()) =0 

!((o0 k)) = (o+ k) !( (o0 k) ) = (o+ k) 

!( (o0 k) ) = (o+ k) \{{o + k)) ={o + k) . 

Moreover, if length{s) > 2 and therefore s = si :: S 2 , where si and S 2 are non 
empty sequences, we define !(s) =!(si) :: — o(si)-!(s 2 ). 

i(0) =0 

\{{o + k)) ={o + k) i( (o0 k) ) =(o+ k) 

\( {o+k) ) ={) \{{o + k)) ={o + k) . 

Moreover, if length{s) > 2 and thus s = si :: S 2 , where si and S 2 are non empty 
sequences, we define i(s) = i(si) :: i(s 2 ). 

3.(0) =0 

3.((o 0 k)) ={3^0 + 3^k) 3a;( (o0 fc) ) = {3^o + 3^k ) 

3.( (o0 fc) ) = {3xO + 3^k ) 32;((o 0 k)) ={3^o 0 3^k) . 

Moreover, if length{s) > 2 and thus s = si :: S 2 , where si and S 2 are non empty 
sequences, we define 3.(s) = 3a;(si) ::3a;(s2). 

{o+k) ® s ={o 0 k) ( o 0 k ) 0 s ={ o 0 k ) 

{o+k) ® s = 0 - {ko s) ( o 0 k ) 0 s =( o 0 k ) ::o-{kos) . 

Moreover, if length{s') > 2 then there exist non empty sequences si and S 2 , 
such that s' = si :: S 2 - In this case we define: s' 0 s = si 0 s :: — ^(si, s) • (s 2 0 s), 
where: ^(si, s) = |J o □ (A: • i5(s)) U [J or\{k»5{s)). 

An interpretation is a map I from the set of predicate symbols II to the set 
of sequences of constraints. Interpretations form a poset whose bottom element 
is /°, such that /°[p] = {true rxobs + true) for every predicate p. 

Note that our semantics is defined as Sp = Ui>0 Tp(I^). Actually, while 
divergent or cut constraints are useful for a precise and compositional definition 
of the observability conditions, we are not interested in them when we turn to 
the use of the collected abstract information. In this second step, we only need 
to know the abstract information of every convergent constraint and the related 
observability constraint. Therefore it is sensible to discard all the redundant in- 
formation (from this point of view), through an auxiliary function O, defined as 
^(s) = Uo+fees('' ^ (xobs) U Uo-i-fces(® ^ ocobs). O is extended to interpreta- 
tions in the obvious way. Namely, (0(/))[p] = 0(/[p]) for every predicate p. O is 
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an observability condition which is satisfied by those constraint stores in which 
a computed answer is observed. Note that the unique difference with the case of 
the classical s-semantics is that observability conditions are taken into account 
in the computation of O. Moreover, if s contains two constraints oi + ki and 
02 + k2 and if oi entails 02 and fci entails k2, then 0 {s) = 02 H /c2- The pointwise 
partial order is defined on the range of O. 

In jS| it is shown that the set of consistent and observable kernel constraints in 
0 {£\G\Sp) is the set of Prolog computed answers for the goal G in the program 
P. Moreover, we showed that 

Theorem 1. A kernel constraint k is a Prolog computed answer constraint for 
a goal G executed in a program P if and only if k < 0 (£|G]( 5 p)). 

3.1 A Call Pattern Semantics 

In the section above we have shown a semantics able to characterize computed 
answers of a Prolog program. However, program analysis is more often concerned 
with call patterns, more precisely with the set of all possible call patterns for any 
predicate. This information is useful for an optimizing compiler, since it allows 
one to compile predicate calls, by specializing them for the specific call patterns 
which can actually arise at run-time. 

In this section we sketch the definitions of the operators for a call pattern se- 
mantics for Prolog. We omit some details, since they can easily be reconstructed 
as an extension of the case of the computed answer semantics. 

The main difference between call patterns and computed answers is that call 
patterns belong to the internal part of the SLD tree, and not only to its frontier. 
Moreover, a call pattern constraint is associated to a specific predicate. Hence 
we define the following kinds of constraint. 

— o -I- fc; p (divergent constraints); 

~ 0 + k (convergent constraints); 

— o -|- fc; p (internal constraints); 

— o -I- fc (cut constraints); 

— o -|- fc (cut internal constraints). 

Note the introduction of a new kind of internal constraint. The definitions of the 
semantic operators is similar to the case of the computed answer semantics, with 
a few relevant differences: |c] = {true rxobs + c), si 0 S2 = si :: — / 9 (si) • S2. The 
definition of Tlj, is essentially unchanged while the basic cases of the definition 
of the ! operator are the following. 



!(()) =0 

!((o + fc;p)) =(o + fc;p) 



!( (o + fc) ) = (o + fc) 

!((o + fc;p)) =(o + fc;p) . 



!((o + fc)) = {o + fc) 



!( (o + fc) ) = (o + fc) 
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The only relevant difference is that internal constraints are left untouched, be- 
cause a constraint is allowed to cut only if it is a solution of the goal, i.e., only 
if it is a convergent constraint. 

Even the basic cases of the definition of i are an extension of the old definition: 

i(())=() l{{o + k))={o + k) 

\{{o + k;p)) ={o + k',p) i( (o -I- k) ) =(o -I- k) 

H io + k) ) =0 i((o-b fc;p)) =(o-b fc;p) . 

Finally, the basic cases of the definition of 0 are 

(o-|-A:;p) (o -I- /c; p) (8> s =(o -I- fc; p) 

( o -I- k ) {o + k) (§1 s =0 ■ {k o s) 

( o -I- k ) ::o-{kos) . 

A difference is found in the definition of the Tp operator. Roughly speaking, 
in the denotation of p(a;) there exists a call pattern which is precisely p(x), and 
then there are all the call patterns which arise in its execution. This leads to the 
following definition: Tp(/)(p) = {true (xobs + true; p) ::3ix{lSa^xl 'S' iiSlBjl)). 
With this simple changes, the semantics scheme of definition E| gives rise to a 
call pattern semantics for Prolog. It is computed as the least fixpoint of the 
Tp operator defined above, starting from the environment such that /®[p] = 
{true (xobs + true; p), for every predicate p. 

We now show how to abstract the denotational semantics for computed an- 
swers. The following considerations can be easily extended to the case of call 
patterns. 



{o + k;p) ^ s = 
{o + k) (g) s = 
(o -I- k) (g) s = 



4 Abstract Semantics 

A concrete observability constraint tells us what we know of the constraint store 
in the case the conditional constraint is observable. It is the most precise informa- 
tion we could know in that case. Similarly, an abstract observability constraint 
should say what we know of the constraint store w.r.t. the abstract domain 
we have at hand in the case the conditional constraint is observable. This in- 
formation will be called success approximation of the observability constraint. 
However, we compute even negations of observability constraints. The nega- 
tion of a success approximation of an observability constraint o is not a success 
approximation of the observability constraint —o. Therefore, we need a failure 
approximation of a concrete observability constraint. It will become a success 
approximation of —o. Therefore, a failure approximation of o is nothing more 
than a success approximation of —o. We show now how these approximations 
can be computed. Note that we need these approximations even for kernel con- 
straints, since they are mapped into observability constraints through the (xobs 
map. 
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Consider a concrete observability or kernel constraint c. If it is satisfiable in 
a constraint store, then we know that c is satisfiable in that constraint store. 
Therefore, the most concrete success condition is obviously c itself. Similarly, 
the most concrete failure condition for c is — c, that is “c is not satisfiable in the 
current store” . So every concrete constraint is isomorphic to a success/failure pair 
(c, — c), which we will write as [-c]- This is the most concrete success/failure 
approximation of c. Actually, it is a precise approximation of c. Assume now 
we are interested in a given abstract analysis, whose domain is T> and whose 
abstraction map is p : K i— > I?. It can easily be seen that a success condition 
for c is the constraint s(c) = V|=sacP(‘^)- previous formula should be read 
as follows. We look for the most precise condition which is satisfied by every 
constraint store S which is consistent with c. Dually, a failure condition for c 
is the constraint /(c) = \/ ^sacP(^)- These two formulas can be generalized to 
observability constraints as follows: 





( 1 ) 




( 2 ) 



Hence we abstract an observability constraint into the pair x(o) = 

In the case of kernel constraints, we need also to know what happens (from 
an abstract point of view) if a kernel constraint k is satisfied. This information is 

^ s(fc) " 
p{k) 



L/(fc)J 



obviously p{k). Hence a kernel constraint will be abstracted into x(fc) = 

This leads to a straightforward definition for (oc o6s)**, i.e., the abstract counter- 
part of (xobs: “ (xobs^ = [/]• 

The conjunction of kernel and observability constraints is defined as 

a-'d [i;ln'[ftl = [DS] ■ 

The disjunction of kernel and observability constraints is dually defined as 
Abstract negation and cylindrification are defined as 



■ Si • 




■ S2 • 




■ Si AS2 ■ 


ai 


a2 


— 


ai Ao2 


L/i J 


L/2 J 




- / 1 V /2 . 



■ Si • 
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■ S2 • 




• Si VS2 ■ 


ai 


Q2 
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ai Va2 


L/i J 


L/2 J 




. / 1 A /2 . 



-“[/] = [{], 3«[f] = 



3./ 



and 3i 



3xS 

ExO, 

3x/ 



:i] 



s(c) 

p(c) 

.fie). 



, the se- 



With the above definitions, and assuming: |c]** = 

mantic scheme of definition |2| can be directly translated into an abstract seman- 
tics definition. 

Finally we define an abstract version of the O function as 



Ol(l<) = V 


s' 


(sAs'Ad) V Y 


s' 


[/]+ 


d 

[f'l 


[/] + 


d 



G /« 



{s A s' A d) . 
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For a call pattern version of the abstract semantics, one should only per- 
form the same changes suggested for the concrete call pattern semantics. For an 
example of computation of this semantics, see later. 



4.1 Correctness of the Abstraction 



In this section we show that the abstract denotational semantics is correct with 
respect to the concrete one. The abstraction map x can be extended to se- 
quences of constraints by defining x(o+ k) = %(o) -I- x(k) and x((ai, . . . , a„)) = 
(x(ai), ■ . ■ ,x(®n))- The approximation ordering < on sequences is the elemen- 
twise extension of the approximation ordering on observability/kernel pairs: 
oi + ki < 02 + k2 if and only if oi < 02 and k\ < k2- Similarly for the other 
possible pairs of the same type: [ ] if and only if si < S2 and fi < f2- 

r 1 r 1 • 

Similarly “1 < “2 if and only if si < S2, oi < 02 and /i < /2. If we assume 

L ji J L /2 J 

that the A and V operators are correct w.r.t. the concrete ones, we conclude easily 
that all the operators defined in section^are correct with respect to the concrete 
ones. This in turn implies that the abstract semantical operators are correct with 
respect to the concrete ones, since the abstract operators are obtained from the 
concrete ones substituting the concrete operations with the abstract ones. In 
conclusion, it is a straightforward result that x(Tp(/)) < Tp{x{I))- Note that 
it can be easily shown that all the semantical operators are monotonic with re- 
spect to the approximation ordering. Hence Tp is monotonic with respect to this 
previous ordering. This implies that 

ximn) < {TlTixin) (3) 

for every i > 0. The case f = 0 is straightforward. By inductive hypothesis, we 
have 



X{T}+\I^)) =x{rp{Tp{I°))) < (4)Xx(Tp(/°))) 

(monotonicity) <(t|.)*(t|.(x(/"))) = ( 4)*+i(x(/°)) . 



By monotonicity of O'^ with respect to the approximation ordering and using 
equation ©, we conclude that 

V 0 “ ixiThin)) < V ((4)Xx(/"))) , (4) 

i>0 i>0 



where < is now the partial ordering on abstract constraints. 

In can be shown that 

Proposition 2. O'^x ® monotonic map with respect to the computational or- 
dering C (see 0/ for the definition ofQ). 

By the proposition above, we conclude that the extension O'^x of Ox is 
continuous and we have 



0#X 




V Oix{Th{I°)) = V , 

i>0 i>0 
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which is the left hand side of equation Hence 

ofxiSp) <\/o^ ((t|.)*(x(/°))) . ( 5 ) 

i>0 

Equation will be taken as our correctness result. Since ^ for 

every s S SS (by the correctness of A and V), it says that Tp can be used to 
compute an approximation of the abstract behaviour of Sp. 

It can be similarly shown that 

d*x{£{GlSp) <\J o* (£“[G 1 (t|)*x(/ 0 )) , 

i>0 

i.e., our abstract semantics is correct even for the denotation of a single goal. 

We would like to be able now to compute the right hand side of equation 
m in a finite number of steps. Next section shows when and how this can be 
accomplished. 

4.2 Towards a Finitely Computable Abstract Semantics 

In the case of abstract analysis of pure logic programs, if the abstract domain 
is finite or noetherian (or at the least the set of abstract constraints on a fi- 
nite set of variables is finite or noetherian), then the abstract fixpoint is finitely 
computable. This is because a semantics for pure logic programs uses as com- 
putational domain sets of constraints, rather than sequences, as we do in our 
approach. This problem was already tackled in 0 . As already noted, the seman- 
tics in 0 was quite complex, since cut and divergence conditions were “declared” 
rather than “applied” (as we do in this paper). This in turn led to complex and 
incomplete “reduction rules” on sequences. The present approach leads to a sim- 
ple solution. We will show that it is safe to remove a constraint from a sequence 
if it entails another constraint of the same type and precedes it in the sequence. 
As a consequence it is not possible to have multiple copies of a constraint in a 
sequence and therefore the abstract domain of sequences becomes finite. Finally, 
the right hand side of equation is finitely computable. 

The reduction rule on sequences can be viewed as a further abstract inter- 
pretation process, such that every abstract sequence is abstracted into another 
abstract sequence where all the “entailing” constraints are removed. Formally, 
we define an abstraction map as A(()) = (), A((u)) = v and A(si :: S2) = A(si) :: 
A' (52), where A'(s2) is A(«2) deprived of all constraints v such that there exists 
a constraint w G A(si) of the same type as v such that |u|i U** = |w|i and 

|u|2L|t* |w|2 = |w|2, where the expression “of the same type of” means that the two 
(abstract) constraints should be both closed convergent, or both open conver- 
gent and so on. Intuitively, if a constraint is preceded by another constraint and 
entails it, it is not useful for computing the observable properties we are inter- 
ested in. Moreover, it will not be useful, even if we combine the sequence in any 
possible compositional context, as it will be shown in the following paragraphs. 
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Definition 8. Let TZSS be the set of reduced sequences, that is the set of se- 
quences such that no constraint precedes another constraint of the same type and 
which entails it. Obviously, we have A : SS e- > TZSS. The following abstract 
operators are defined on TZSS: 



(xobs‘^{c) = cxo6s**(c) 



s“ 0“ S2 =A(s“ 0* S2) 
=A(3|s“) 
i“(s“) =A(i“(s“)) 






= ([!] + 



■ s(c) 
p(c) 
.d(c) 



(g)“ s“ =A(sJ 0“ s“) 
!“(s“) =A(!“(s“)) 
0“(s“) =C>“(s“) . 



The above definition induces a semantic scheme based on the one described in 
definition El 

Lemma 1. The following conditions hold 

i) A(|c]“) = |c]“; a) A(si 0** S2) = A(si) 0“ A(s2); 

Hi) A(si 0** S2) = A(si) 0“ A(s2); iv) A(3|s) = 3“A(s); 
v) A(!«(s))=!“(A(s)); v^) A(i“(s)) = i“(A(s)). 

Proof. 

i) Obvious. 

a) Assume o s = A(o • s). We have 

A(si 0** S2) =A(si :: -/3(si) S2) = A(A(si) :: -/3(si) S2) 

=A(A(si) :: — ;5(A(si)) A(s2)) = A(si) 0“ A(s2) • 



Hi) A(si 0** S2) = A(si 0** A(s 2)) = A(A(si) 0** A(s2)) = A(si) 0“ A(s2). 

tv) A(3|s) = A(3]|A(s)) = 3]SA(s). 

v) A(!**(s)) = A(!**(A(s))) =!“(A(s)), because ifv entails and follows w in s, then, 
after the !** operator has been applied, all the cut conditions added to w are 
added to v too, and therefore v will still entail w and will be removed by the 
A abstraction present in A(!**(s)). Hence it is equivalent to remove v before 
applying the !** operator. Note that v does not contribute to the function o, 
because, if it is convergent, then w is convergent too and vLi^ w = w. 

vi) A(i“(s)) = A(i“(A(s))) = i“A(s). 

Proposition 3. Given an interpretation I, we have A(Tp(/)) = Tp{X{I)) where, 

by definition, A(/)[p] = A(/[p]). 

Proof. Using lemma Q it can easily be shown that for every goal G we have 

A(f|G]**7) = 5“|G]A(/), by straightforward induction on the structure of G. 

Using lemma^ again, we get the thesis. 
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Corollary 1. For every i > 0 we have A((Tp)®(/°)) = (Tp)*(A(/°)). 

Proof. By induction on i. 

If V entails w then the success condition of v is lower than the success condi- 
tion of w and similarly the abstract approximation of v is lower than the abstract 
approximation of w. Therefore 0°‘{{w)) = 0°‘{{v, w)). This allows us to conclude 
that 0“(A(s)) = 0‘^{s). Hence we have 

V O“((t|.)X/ 0 )) = V O“(A((t|.)X/ 0 ))) 

j>0 i>0 

(corollaryP) = \J ((T^)*(A(/°))) . 

i>0 

Note that, assuming the set of abstract constraints on a finite set of variables 
to be finite, we conclude that the right hand side of the above equality can be 
computed in a finite number of steps. This means that the right hand side of 
equation (Q can be computed in a finite number of steps using Tp. 

A similar reduction can be applied to the call pattern analysis described in 
subsection O (see the following example). 



5 An Example 



In this section we show an example of the computation of the abstract call 
pattern semantics for a simple program. We use an abstract domain able to 
model groundness and non-freeness, without directionality. Even this “weak” 
domain is able to show the usefulness of our approach. Consider the Prolog 
program 

p(X) :-X=4, ! . 
p(X) :-q(X) . 
q(X) :-X=5. 
q(X) :-p(X) . 



which is translated into our abstract syntax as 

p(a;) : — cut(a; = 4) or q(a;). 
q(a;) : —x = 5 or p(a;). 



and then abstractly compiled into: 

p(a;) : -cut( [)[] + 



q(z) :-[!] + 



T 

s(^) 

nf(x) 



T 

g{x) 

nf(x) 



) or q(2^)- 

or p(x). 



The computation of the abstract fixpoint (with sequence reductions) stops 
at the second iteration in such a way that //p(Tp)[p] is the sequence 




;p, 



'T' 



T 

9{a) 

nf(a) 



xf(a) 

T 



;q, 



i/(“) 

T 



n/(a) 

T 

_L 



;p 
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From the third constraint of this denotation we conclude that the unique call 
pattern for q, which can arise from the execution of p, is observable only in 
a constraint store in which a (or, equivalently, x) is a non free variable. This 
information can be used to optimize the compilation of the unification for the 
clauses of the definition of q. Note that it would not have been possible to 
determine this information if we had discarded the cut operator in our analysis. 



6 Conclusions and Future Work 

We have shown a general framework for the abstract interpretation of Prolog 
programs both for computed answers and for call patterns. The main difference 
with classical abstract interpretation of logic programs is the use of sequences 
rather than sets of constraints and the use of success and failure conditions. 
While a general approach for defining success and failure conditions is available 
(equations 0 and ( 0 ), one should not think that the problem of finding success 
and failure conditions is definitely solved. Actually, we only shifted the problem 
in the definition of the abstract domain, which must be devised in such a way that 
equations m and © do not give trivial approximations (like T, for instance). 
Future work will be spent in devising such domains, and in showing the feasibility 
of the approach with its implementation. 

Finally, we think that the problem of assuring termination in the presence 
of sequences rather than sets of constraints could be related with termination 
of abstract interpretation of concurrent logic programs. We will investigate this 
relation. 
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Abstract. The subject of groundness analysis for (constraint) logic pro- 
grams has been widely studied, and interesting domains have been pro- 
posed. Pos has been recognized as the most suitable domain for capturing 
the kind of dependencies arising in groundness analysis, and Reduced Or- 
dered Binary Decision Diagrams (ROBDDs) are generally accepted to 
be the most efficient representation for Pos. Unfortunately, the size of an 
ROBDDs is, in the worst case, exponential in the number of variables it 
depends upon. Earlier work [2] has shown that a hybrid representation 
that separates the definite information from the dependency information 
is considerably more efficient than keeping the two together. The aim of 
the present paper is to push this idea further, also separating out certain 
dependency information, in particular all pairs of variables that are al- 
ways either both ground or neither ground. We find that this new hybrid 
representation is a significant improvement over previous work. 



1 Introduction 

The aim of groundness analysis (sometimes called definiteness analysis) is to de- 
rive statically, for all the program points of interest, which variables are bound to 
unique values (or ground). This kind of information is very important: it allows 
substantial optimizations to be performed at compile-time, and is also crucial to 
most semantics-based program manipulation tools. Moreover, many other anal- 
yses are made more precise by the availability of groundness information. For 
these reasons, the subject of groundness analysis for (constraint) logic programs 
has been widely studied. After the early attempts, some classes of Boolean func- 
tions have been recognized as constituting good abstract domains for groundness 
analysis [10, 13]. In particular, the set of positive Boolean funetions, (namely, 
those functions that assume the true value under the valuation assigning true to 
all variables), which is denoted by Pos, allows to express Boolean properties of 
program variables where the property of one variable may depend on that prop- 
erty of other variables. For groundness analysis, since variables can be bound to 
terms containing other variables, the groundness of one variable may depend on 

* Much of this work was supported by EPSRC grant GR/L19515. 
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the groundness of other variables. Pos has been recognized as the most precise 
domain for capturing the kind of dependencies arising in groundness analysis. 

This ability to express dependencies makes analysis based on Pos very pre- 
cise, but also makes it relatively expensive, as many operations on Boolean 
formulae have exponential worst case complexity. Armstrong et al. [1] analyzed 
many representations of positive Boolean formulae for abstract interpretation, 
and found Reduced Ordered Binary Decision Diagrams (ROBDDs) [6] to give 
the best performance. 

ROBDDs generated during program analysis often contain many variables 
that are definitely true. In the context of groundness analysis, this means that 
the corresponding program variable must be ground at that point in the program. 
It is shown in [2] that a hybrid representation for Boolean functions that keeps 
these definite variables separate is more efficient than ROBDDs alone. However, 
ROBDDs generated during program analysis also contain many pairs of variables 
that are equivalent. In terms of groundness, this means that either both variables 
are ground, or neither is. Such equivalent variables of course appear for a program 
goal of the form X = Y, but they also frequently appear naturally during the 
analysis process. For example, for a goal X = [Y | Z] , where it can be established 
that Y is ground, the analyzer will deduce that X and Z are equivalent. Such 
equivalent pairs can greatly increase the size of ROBDDs, which in turn makes 
ROBDD operations much more expensive. For example, the ROBDD for the 
Boolean function 2 : comprises one node (not counting the 1 and 0 terminal 
nodes), while {x y) A z comprises 4 or 5 (usually 5). However, since x y 
simply means that x and y are equivalent, we may remove y from the Boolean 
function altogether, leaving us again with a single node, and replace y by a; in the 
formulae being analyzed. Since the time complexity of most ROBDD algorithms 
is at best quadratic in the sizes of the graphs involved, this can significantly 
speed up analysis. 

There is another reason for our interest in equivalent variables. A recursive 
definition of the form 



f{xi ,Xn) = Av {B A f{xi , x „)) , 

always has least fixpoint A, as can be seen by Kleene iteration. This is a special 
instance of Spndergaard’s immediate fixpoint theorem [16]. The key point here 
is that the formal parameters of the definition must be the same as the actual 
parameters in the recursive reference. We can establish this if we have a definition 
of the form 



f{xi, . . . ,Xn) = Av {B A f{yi, ... ,y„) A (a;i -H- yi) A • • • A (a;„ -H- y„)). 

To show that our definition has this form, we need to find the equivalent variables 
in the recursive arm of the definition. 

In this paper we present a hybrid representation for Boolean functions that 
uses a set to represent definite variables, a set of pairs of equivalent variables to 
represent equivalences, and an ROBDD to represent more complex dependencies. 
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This hybrid representation proves to be significantly more efficient overall than 
that of [2] . 

Notice that Boolean functions are used in the more general context of depen- 
dency analysis, including finiteness analysis for deductive database languages 
[5] suspension analysis for concurrent (constraint) logic programming languages 
[11], and functional dependency (or determinacy) analysis [17]. The hybrid rep- 
resentation we propose might be useful also in these contexts, although we have 
not studied this yet. 

The balance of this paper proceeds as follows. In Sect. 2 we briefly review 
the usage of Boolean functions for groundness analysis of (constraint) logic pro- 
grams (even though we assume familiarity with this subject) and we discuss the 
representation we use for Boolean functions. Section 3 presents our hybrid rep- 
resentation, with the necessary algorithms appearing in Sect. 4. Experimental 
results are presented in Sect. 5, and Sect. 6 concludes with some final remarks. 

2 Preliminaries 

Let U he a set. The set of all subsets of U will be denoted by p{U). The set of 
all finite subsets of U will be denoted by pt{U). The notation S Cf T stands for 
5 G pf(T). 

2.1 Boolean Functions for Groundness Analysis 

After the early approaches to groundness analysis [14, 12], which suffered from 
serious precision drawbacks, the use of Boolean functions [10, 13] has become 
customary in the field. The reason is that Boolean functions allow to capture in 
a very precise way the groundness dependencies that are implicit in unification 
constraints such as 2 : = f{g{x),y): the corresponding Boolean function is {x A 
y) z, meaning that 2 is ground if and only if x and y are so. They also capture 
dependencies arising from other constraint domains: for instance, under CLP(77.) 
x-h2y-\- z = 4 can be abstracted as {{xAy) z) A {{xAz) y) A {{yAz) x), 
indicating that determining any two variables is sufficient to determine the third. 

Vars is a fixed denumerable set of variable symbols. The variables are ordered 
by the total order relation For convenience we sometimes use y >- a; as an 
alternative for x -< y. We also use x < y and y y x to mean that either x -< y 
or X = y. We call the least variable a, that is, Vu G Vars : a ^ v. For a set of 
variables S we will denote by miiP(5) the minimum element of S with respect 
to We also define the succ (successor) function over Vars as follows: 

Definition 1. (The function succ: Vars Vars.) 

succ(u) X, if V -< X and -<3y G Vars . v -< y -< x. 

Note that x is unique. 

We now introduce Boolean functions based on the notion of Boolean valua- 
tion. 
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Definition 2. (Boolean valnations.) T/te set 0 / Boolean valuations over Vars 

is A Vars {0, 1}. For each a G A, each x € Vars, and each c € {0, 1} the 
valuation a[c/a;] G A is given, for each y € Vars, by 




if x = y; 
otherwise. 



For X = {xi,X 2 , • • • } C Vars, we write a[c/X] for a[c/xi\\c/x 2 ] • • • ■ 

Definition 3. (Boolean functions.) The set of Boolean functions over Vars 
is X A ^ {Ojl}- The distinguished elements T,± G X are the functions 
defined by T Xa G A . 1 and _L Aa € .4 . 0. For f £ X , x £ Vars, and 
c e {0, 1), the function f[c/x] G X is given, for each a G A, by f[c /x](a) =*' 
/(a[c/a;]). When X C Vars, f[c/X] is defined in the obvious way. If f G X and 
x,y G Vars the function f[y/x] G X is given, for each a G A, by 



f[y/x]{a) =V(a[a(y)/a;]y 

Boolean functions are constructed from the elementary functions corresponding 
to variables, and by means of the usual logical connectives. Thus x denotes the 
Boolean function f such that, for each a G A, f(a) = 1 if and only if a(x) = 1. 
For fi,f 2 G X , we write f\ A /2 to denote the function g such that, for each 
a G A, g(a) = 1 if and only if both fi(a) = 1 and / 2 (a) = 1- The other Boolean 
connectives and quantifiers are handled similarly. 



The question of whether a Boolean function / entails particular variable x (which 
is what, in the context of groundness analysis, we call definite groundness in- 
formation) is equivalent to the question whether f ^ x is & tautology (namely, 
/ ^- a; = T). In what follows we will also need the notion of dependent variables 
of a function, as well as disentailed, or definitely false, variables. 

Definition 4. (Dependent, true, false, and equivalent variables.) For 

f ^ T , the set of variables on which / depends, the set of variables necessarily 
true for f, the set of variables necessarily false for f, and the set of equivalent 
variables for f, are given, respectively, by 



vars(f) { a; e Vars \ 3a G A . /(a[0/a;]) ^ /(a[l/a;]) }, 

true{f) { a; e Vars | Va € : f{a) = 1 a{x) = 1 }, 

false(f) { a; e Vars | Va € : /(a) = 1 a{x) = 0 }, 

equiv(f) { {x,y) € Vars^ \ x y,\fa £ A : f{a) = 1 a{x) = a{y) }. 



2.2 Binary Decision Diagrams 

Binary Decision Diagrams (BDDs) are a well-known representations of Boolean 
functions [6, 7]. A BDD is a rooted directed acyclic graph where each internal 
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node is labeled with a Boolean variable and has two out edges, leading to the 
node’s true and false sueeessors. External (leaf) nodes are either 1 or 0. The 
Boolean function represented by an BDD can be evaluated for a given truth 
value assignment by traversing the graph from the root node, taking the true 
edge for nodes whose label is assigned 1 and the false edge when the label is 
assigned 0. The terminal node reached in this traversal is the function value for 
that assignment. 

When a total ordering on the variables is available, we can define Ordered Bi- 
nary Deeision Diagrams (OBDDs) as BDDs with the restriction that the label of 
a node is always less than the label of any internal node in its successors. Redueed 
Ordered Binary Deeision Diagrams (OBDDs) are OBDDs with the additional 
condition that they do not contain any two distinct nodes which represent the 
same Boolean function. This means that the two terminal nodes must be unique, 
no two distinct nodes may have the same label and true and false successors, 
and no node may have two identical successors (because then it would represent 
the same Boolean function as the successors). 

We now define ROBDDs formally. Although an ROBDD is a particular kind 
of rooted, directed, and acyclic graph, we prefer not to use the standard notation 
for graphs. Thus an ROBDD is identified with the set of its nodes, one of which 
is designated as the root, the edges being formally part of the nodes themselves. 

Definition 5. (ROBDD) If N is the set of nodes of an ROBDD then N sat- 
isfies 



N C {0, 1} U Vars x N x N. 

The nodes 0 and 1 are ealled terminal nodes. All the other nodes in N are ealled 
non-terminal nodes. For eaeh non-terminal node n G N, rivar G Vars denotes 
the variable assoeiated with n, rifaise G N denotes the false sueeessor of n, and 
ntiue G N denotes the true sueeessor ofn. With this notation, N must also satisfy 
the irredundaney and the ordering eonditions: for eaeh non-terminal node n G N 
?^false 7^ ?^true and (to = rifalse Or m = ritrue) (m G {0, 1} or rivar -< TOvar)- 

Moreover, N is rooted and connected, that is, there exists r G N (the root,) 
sueh that 



\/n e N \ {r} :3m e N . (n = rrifaise or n = Wtrue) • 

A ROBDDs is a pair (r, N) that satisfies the above eonditions. The set of all 
ROBDDs is denoted by D. 

The meaning of an ROBDD is given as follows. 

Definition 6. (Semantics of ROBDDs.) The funetion |-]i , : D D is given, 
for eaeh (r, N) G D, by N' N \ {r} and 



I(oiV)L 



A, 

T, 



(warA |(rtrue, A^')li,) V ^“Tvar A |(rfalse , A^')l ^,) 



ifr = 0; 
ifr = 1; 

otherwise. 
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For simplicity, we will identify an ROBDD with the ROBDD node that con- 
stitutes its root, since the set of all the nodes can be recovered by any traversal 
that starts from the root. 

In the implementation, a new ROBDD node is created, given a label variable 
V and true and false successors n and m respectively, by the make_node(u, n, to) 
function. This is defined such that, if n = to, n will be returned. Furthermore, if 
an identical call to makemode has previously been made, the result of that call 
will be returned. This guarantees that if n and to are reduced, then so is the 
resulting node. Note that it is an error if u ^ rivar or u ^ TOvar- 

ROBDDs have one very important property: they are canonical. This means 
that, for each fixed variable ordering, two ROBDDs represent the same function 
if and only if they are identical [6]. In fact, the definition of makemode is such 
that two ROBDDs are identical if and only if they are stored at the same memory 
address. This is important to the efficiency of many ROBDD operations. 

We will often confuse ROBDDs with the Boolean functions they represent. 
For instance, for n G T>, when we write vars(n) or true(n) what we really mean is 
vars{\n\T>) or true{\n\T>)- This convention of referring to the semantics simplifies 
the presentation and should not cause problems. 

3 A New Representation for Pos 

We introduce a new representation for Pos. It is made up of three components: 
a set of ground variables, a set of equivalent variables, and an ROBDD, whence 
the name GER representation.^ A set of ground variables is trivially an element 
of V pf(Vars). For G € V we define |G]v where /\{xi, . . . ,a;„} 

a;i A • • • A and f\0^= T. 

The set of equivalent variables is simply given by a transitively closed set of 
ordered pairs of variables. 

Definition 7. (A representation for eqnivalent variables.) Sets of equiv- 
alent variables are represented by means of elements of £ C p(( Vars x Vars) 
such that 

1. VL e £ : Vx,y € Vars : (x,y) € L x -< y; 

2. VL e £ : Vx, y,z G Vars : (x, y), (y, z) G L (x, z) € L. 

For L G £ we use the following notation: 

1/11*=^ { a; e Vars | {x,y) G T }, vars{L) L|1 U L\2, 

L|2 =*' {y e Vars \ (x,y) G L}. 

The family of functions \l '■ Vars Vars is defined, for each L £ £ and each x G 
Vars, by Xl{x) miri^ ({a;} U {y G Vars | (y,x) G T}). Xl maps each variable 
to the least variable of its equivalence class, which we call its leader. (£, D) is 



^ In [2] we had only a set of ground variables and a ROBDD. 




Factorizing Equivalent Variable Pairs in ROBDD-Based Implementations of Pos 477 



clearly a lattice. We will denote the gib and the lub over (£, D) by (transitive 
closure of the union) andV^ (intersection), respectively. The semantics function 

I'l^ ■. T is given by |L]^ =*' /\ { a; -H- y | {x,y) G L }. 

In the GER representation, an element of Pos is represented by an element 
of V X £ X "D. There are elements of Pos that can be represented by several 
such triples and, in the GER representation, we need to make a choice among 
those. This choice must be canonical and economical. Economy can be explained 
as follows: true variables are most efficiently represented in the first component 
(a bit-vector at the implementation level) and should not occur anywhere else 
in the representation. Equivalent variables are best represented in the second 
component of the GER representation (implemented as a vector of integers) . As 
equivalent variables partition the space of variables into equivalence classes, only 
one variable per equivalence class must occur in the ROBDD constituting the 
third component of the representation. If we choose, say, the least variable (with 
respect to the ^ ordering on Vars) of each equivalence class as the representative 
of the class, we have also ensured canonicity. 

Definition 8. (GER representation.) The GER representation for Pos is 
given by the set 





1 


G gV,L G £,n gV, ) 


g=^ < 


|(G,L,n) 


G n vars{L) = G fl vars(n) = L\2 n vars(n) = 0, ) 
true(n) = eguiv(n) = 0 J 



The meaning of Q’s elements is given by the function |-]g 
|(G,L,n)l/Af|GlvA[Ll,AM., 

What is required now is a normalization function mapping each element of 

V X C X V into the right representative in Q. 

Definition 9. (Normalization fnnction rj.) The function rj: V x C x T) 

V X £ X T> is given by 

v{{G,L,n)) = {G,L,h) 

where 

G true(^l(G,L,n)j^'j, 

L =*' equiv(j{G,L,n)jg'j \ { (a;,y) G G^ \ x ^y}, 

h n[l/G] [A|^(a;i)/a;i] • • • [A|^(a;„)/a;„] , if vars{n) \ G = {xi, . . . 

A very basic implementation for rj is given by the normalize function depicted 
in Alg. 1. The need for looping can be understood by means of the following 
examples. Eorcing a variable to true in a ROBDD can result in new entailed 
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Require: an element {G, L,n) € V x C x T> 

function normalize ((G, L, n» 

1. G^new • — Lnew • — -^^5 ^^new • — ^5 

2: repeat 

3- Gold Gnew5 -^old -^^new^ ^old 

4. Gnew • — Gnew U ^ X, y {x,y)€ Lnewi {x,y} n G new ^0} 

5: i/new •— Lnew \ { (^5 ^ G^ew | ^ } 

6. Tlnew • — “^new [l/Gnew] 5 

7. Gnew • — Gnew U tTUc(^Tlne-w^'^ 

8* -f^new • — -f^new GQUiv (^Hne-w^ ] 

9: {xi, . . . ,Xk} := vars{nne^)\ 

10: ^^new • — ‘Hrnew [Ai„ew(a^i)Ai] ••• [Ai„ew(a^*)A*] 

11. until Gnew — Gold ^nd i/new — ^old ^nd Tlnew — ^old! 

12. return (Gnew^ -f^new 5 ^^new) 5 

Algorithm 1: The normalize function. 



variables: if n represents x ^ y then n[l/a;] represents y. Renaming a ROBDD 
node n by means of a set of equivalent variables L can also give rise to new 
entailed variables. Suppose that n represents the Boolean formula a; Vy and that 
L = {(x,y)}- Then n[\L{y)/y] represents x. Renaming can also result in new 
equivalent variables: take n representing a; -H- {y A z) and L = {{y,z)^ for an 
example. 

Theorem 1. We have that y.VxCxV^Q. Furthermore, for eaeh triple 
{G, L, N) £ V X C X I), we have 

l{G,L,N)j^=ly{{G,L,N))j^. 

Finally, the normalize funetion in Alg. 1 is a eorreet implementation ofrj. 

It is important to remark that in the actual implementation several special- 
izations are used instead of Alg. 1. In other words, for every possible use of 
normalize, conditions can be granted so as to use a simpler algorithm instead. 
While space limitations do not allows us to be more precise, we just observe that 
roughly 50% of the times normalize would be called with the ROBDD 1. This 
indicates that definitely ground variables and equivalent variables constitute a 
significant proportion of the dependencies that arise in practice. 

3.1 Operations for the Analysis 

Let us briefly review the operations we need over Pos for the purpose of ground- 
ness analysis. Modeling forward execution of (constraint) logic programs requires 
computing the logical conjunction of two functions, the merge over different com- 
putation paths amounts to logical disjunction, whereas projection onto a desig- 
nated set of variables is handled through existential quantification. Conjunction 
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with functions of the form x -H- (yi A ■■■ A yt), for k > 0, accommodate both 
abstract mgus and the combination operation in domains like Pat(_Pos) [9]. 

Let n be an operation over Pos. The corresponding operation over Q can 
be specified, roughly speaking, as rj o f] o l-Jg. However, this is simply a speci- 
fication: the problem is how to compute y ° fi more efficiently exploiting 

the fact that both definitely ground variables and pair of equivalent variables 
are kept separate in the GER representation. The intuitive recipe (which has 
been extensively validated through experimentation) for achieving efficiency can 
be synthesized in the motto “keep the ROBDD component as small as possible 
and touch it as little as possible” . The specification above does the contrary: it 
pushes all the information into the ROBDD component, performs the operation 
on the ROBDD, and normalizes the result. Let us take the conjunction operation 
Ag'. Q X Q ^ Q and suppose we want to compute {G \ , Li, rii) Ag (G 2 , T 2 , ?^ 2 )- A 
first approximation is to compute 

r?((Gi U G 2 , Ti 1/2, Ai, ri2) j , (1) 

but we can do better if we reduce the ROBDDs rii and ri 2 before computing the 
conjunction (whose complexity is 0(|ni| • |ri 2 |), where \n\ denotes the number 
of nodes in the ROBDD n). In order to apply the At, operator to the smallest 
possible ROBDD nodes we can use the alternative expression 

r?((G'iUG',L'iA^L',n'iA^n')), (2) 

where (G',L',n') = r?((Gi U G 2 ,Ti Ac L 2 ,rii), for i = 1, 2. For lack of space 
we cannot enter into details, but the current implementation uses an expression 
which is intermediate between (1) and (2). Indeed, the attentive reader will have 
noticed that there is a tradeoff in the above motto: keeping the ROBDDs as 
small as possible, as in (2), implies performing several (possibly fruitless) visits 
of the ROBDDs in order to collect entailed and equivalent variables. 

Disjunction is computationally less complex than conjunction in that it does 
not require normalization through rj. This, however, comes at the price of some 
extra complication in the definition. 

(Gi , Li, rii) Vg (G 2 , 1/2, >^ 2 ) = (Gi n G 2 , L/^ Vi, n^). 



with L' = L[ y c L '2 and 



L[ 


def 


> 

> 


{(a;,y)}. 


L'2 


def 


1/2 Ac 


A. 


{{x,y)}, 






(x,y)eGi\G 2 










(x,y)eG2\Gi 








x^y 










x<y 




g; 


def 


{ Xl'(x) a; G Gi 


\ G 2 }, 


G'2 


def 


{ ^L' ( 


x) \ X & G2 


\Gi}, 


L'l 


def 


(Li\L')V^ Li, 




L'i 


def 


(^2\- 


hj) y c L2, 




n'l 


def 


n\ At, /\ X At, 


Ai, 


n'2 


def 


ri 2 At, 


A X At, 

' 'x? 


At, 






x€G\ ( 


x,y)eL'{ 








x€G '2 ( 


x,y)eL'^ 



X y. 
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For i = 1,2, L[ contains the equivalent variables in L, plus those implied by the 
groundness not shared by the two representations that are about to be disjoined 
(since x Ay implies x y). Thus L' contains the common equivalent pairs. For 
i = 1, 2, G' contains the non-common ground variables to be restored into the 
ROBDD components, taking into account the common equivalences. Similarly, 
L'f contains the non-common equivalences to be restored into the respective 
ROBDD: notice that, for x,y € G, \ G(jmod2)-i-i j care is taken not to restore 
both X Ay and x y. 

For the projection operation over Q, which is indeed quite simple, we refer 
the reader to [4] . 

4 Some Specialized Algorithms 

In order to implement the normalize function, its specializations, and the other 
operations for the analysis, we need efficient algorithms for several operations. 
Algorithms for finding all the variables entailed in an ROBDD have been pre- 
sented in [2, 15], while the operation n[l/R] (called valuation or co-factoring) 
can be easily implemented as described in [7]. 



4.1 Finding Eqnivalent Variables in ROBDDs 

An algorithm for finding all the pairs of variables in an ROBDD that are equiv- 
alent is presented as Alg. 2. The algorithm follows directly from the following 



Require: an ROBDD node n 
function equiv_vars(n) 

equiv_vars_aux(n, {(x,y) \ a<x <y < max i;ars(n)}) 

function equiv_vars_aux(n, U) 

if n = 1 then 

0 

else if n = 0 then 
U 
else 

I («var,w) I V € (vars_entailed(ntrue) H vars_disentailed(nfaise)) 
U (equiv_vars_aux(ntrue, U) fl equiv_vars_aux(nfaise, U)) 
Algorithm 2: The equiv_vars function. 



theorem. 

Theorem 2. |n]i, entails x y where x < y if and only if n = 0 , or rivar = x 
and |ritrueli5 entails y and Irifaiseli? disentails y, or rivar -< x and Iritrueli? and 
[tifaiselij both entail x y. 
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We refer the reader to [2, 15] for the possible implementations of vars.entailed 
(and, by duality, of vars_disentailed) . Observe that a crucial ingredient for the 
efficiency of the implementation is caching the results of the calls to equiv.vars, 
vars.entailed, and vars.disentailed. 

4.2 Removing Equivalent Variables 

Once we have identified which variables are equivalent to which others, we can 
significantly reduce the size of an ROBDD by removing all but one of each 
equivalence class of variables. Defining the leader function for an ROBDD node 
n as 



X <kf X 

'^equiv{n)'i 

our aim is to restrict away all but the first variable in each equivalence class, 
that is, all variables v such that A„(u) ^ v. To motivate the algorithm, we begin 
with a simple theorem. 

Theorem 3. Given an ROBDD rooted atn, and its eorresponding leader fune- 
tion Xn, for every node m ^ n appearing in the ROBDD sueh that A„(mvar) = 
rivar, either Wtrue = 0 or Wfalse = 0. 

We “remove” a variable from a Boolean function using existential quantifi- 
cation. For an ROBDD node to, removing TOvar leaves disjoin(TOtrue 5 Wfaise)- So 
Theorem 3 tells us that when A„ (TOvar) ^ Wvar, either TOtrue or TOfaise will be 0 , 
making the disjunction trivial. 

This suggests the algorithm shown as Algorithm 3 for removing all the “un- 
needed” variables in an ROBDD n given its leader function A„. Two obvious 
optimizations of this algorithm immediately suggest themselves. Firstly, we may 
easily compute the last variable (in the ordering) 2 : such that Xn{z) 2 ; we 
may then add the case else if rivar > -z then n immediately after the initial 
if. The second and more important optimization is to avoid recomputing the 
squeeze.equiv function by the usual caching technique, returning the result of 
an earlier call with the same arguments. Since the A„ function is the same in 
all recursive calls to squeeze_equiv, we may simplify this by clearing our table of 
previous results whenever squeeze_equiv is called non-recursively (from outside) . 
This allows us to use only the n argument as a parameter to this cache. 

When we conjoin two Boolean functions in their GER representation, we also 
have the opportunity to use the variable equivalences of each argument to reduce 
the size of the ROBDD component of the other argument. In order to do this, 
we need an algorithm to compute, given any ROBDD to and equivalent variable 
set L, the ROBDD n whose semantics is 

=3L|2. [Ll^ A[to1^. 



Space limitations preclude a full exposition of this algorithm, but it may be 
found in [4]. 
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Require: an ROBDD node n and a leader function A 
function squeeze_equiv(n, A) 
if is_terminal(n) then 
n 

else if A(nvar) = Mvar then 

make_node(nvar, squeeze_equiv(ntrue, A), squeeze_equiv(nfaisej A)) 
else if ntrue = 0 then 

squeeze_equiv(nfaisej A) 

else 

squeeze_equiv (ntrue, A) 

Algorithm 3: The squeeze_equiv function. 



5 Experimental Evaluation 

The ideas presented in this section have been experimentally validated in the con- 
text of the development of the China analyzer [3]. China is a data-flow analyzer 
for CLP('HjV') languages (i.e., Prolog, CLP(7?.), clp(FD) and so forth) written 
in C-H- and Prolog. It performs bottom-up analysis deriving information about 
success-patterns and, optionally, call-patterns by means of program transforma- 
tions and optimized fixpoint computation techniques. We have performed the 
analysis of a suite comprising 170 programs on the domain Pattern(Pos) (simi- 
lar to Pat(Pos) [3]), switching off all the other domains currently supported by 
China^, and switching off the widening operations normally used to throttle the 
complexity of the analysis. 

A selection of the experimental results is reported in Tables 1 and 2. These 
tables give, for each program, the analysis times and the number of ROBDD 
nodes allocated for the standard implementation based on ROBDDs only, but 
making use of the optimized algorithms described in [15] (R), for the implemen- 
tation where definitely ground variables are factored out from the ROBDDs as 
explained in [2] (GR), and for the implementation based on the ideas presented 
in this paper (GER). The analysis has been considered impractical (and thus 
stopped) as soon as the amount of memory used by China exceeded 16 MB (for 
medium sized programs this corresponds to roughly 320.000 ROBDD nodes). 
This is indicated by oo in Table 1 and by in Table 2. 

The computation times have been taken on a Pentium II machine clocked at 
233MHz, with 64 MB of RAM, and running Linux 2.0.32. 

As it can be seen from the tables, the proposed technique improves the state- 
of-the-art of groundness analysis with Pattern(Pos) considerably. Programs that 
were out of reach for previous implementations are now analyzable in reasonable 
time, while for most other programs the measured speedup is between a factor 
of 2 and an order of magnitude. As far as the the memory requirements of 
the analysis are concerned, the new representation allows for big savings, as 
indicated by Table 2. Comparing the results with those of [8, page 45], and 

^ Namely, numerical bounds and relations, aliasing, freeness, and polymorphic types. 







Factorizing Equivalent Variable Pairs in ROBDD-Based Implementations of Pos 



Goal independent Goal dependent 



Program 


R 


GR 


GER 


R 


GR 


GER 


action.pl 


1.59 


1.58 


0.17 


3.21 


2.78 


1.44 


bp0-6.pl 


0.18 


0.09 


0.04 


0.18 


0.06 


0.07 


bridge . clpr 


0.3 


0.33 


0.11 


0.1 


0.02 


0.02 


chat_parser . pi 


OO 


OO 


0.54 


OO 


OO 


2.11 


critical . clpr 


0.18 


0.17 


0.03 


OO 


OO 


0.14 


cs2 . pi 


0.11 


0.09 


0.04 


0.08 


0.03 


0.04 


csg. clpr 


0.11 


0.11 


0.01 


0.06 


0.04 


0.02 


ime_v2-2-l . pi 


0.28 


0.19 


0.08 


0.53 


0.2 


0.12 


kalah.pl 


0.23 


0.1 


0.05 


0.24 


0.09 


0.12 


log_interpreter . pi 


0.51 


0.43 


0.17 


2.95 


2.56 


0.6 


peval . pi 


0.87 


0.73 


0.31 


1.97 


1.58 


0.55 


read.pl 


0.41 


0.16 


0.1 


0.76 


0.54 


0.24 


reducer.pl 


0.11 


0.1 


0.07 


0.9 


0.83 


0.25 


rubik.pl 


OO 


OO 


0.13 


OO 


OO 


0.64 


see . pi 


OO 


OO 


0.62 


1.04 


0.15 


0.14 


sdda.pl 


0.11 


0.09 


0.03 


1.94 


1.47 


0.16 


sim_v5-2 . pi 


0.24 


0.21 


0.19 


0.37 


0.25 


0.29 


simple_analyzer . pi 


OO 


OO 


0.16 


OO 


OO 


4.2 


unify.pl 


1.39 


0.66 


0.14 


OO 


OO 


0.78 



Table 1. Results obtained with China: analysis time m seconds. 



Goal independent Goal 



dependent 



GR GER 



Program 



action.pl 



bp0-6.pl 



bridge . clpr 



chat_parser . pi 



critical . clpr 



cs2 . pi 



csg. clpr 



ime_v2-2-l . pi 



kalah.pl 



log_interpreter . pi 



peval . pi 



read.pl 



reducer.pl 



rubik.pl 



see . pi 



sdda.pl 



sim_v5-2 . pi 



simple_analyzer . pi 



unify.pl 



R GR GER 



R 



186745 



12162 



4044 









4425 



196 



59203 



8487 



213388 



190905 



55804 



92485 






82788 



201732 



5958 









228913 



33838 



14765 






14824 



16044 



317 



42088 



42008 



61249 



96883 



49710 



13534 









19561 



18600 






188476 



228027 



12694 



14762 






14284 



11359 



106 



21210 



10962 



50083 



75218 



14883 



11542 









14360 



13073 






94923 



173167 20861 



1219 103 



3243 2174 



26634 



7846 



214 64 



30 27 



20693 2634 



322 114 



167080 9354 



147545 20357 



32764 3095 



87306 7317 



5261 



5762 215 



157191 2798 



319 120 



65125 



25679 



Table 2. Results obtained with China: number of BDD nodes. 
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scaling the timings in order to account for the difference in performance between 
a Pentium-II at 233MHz and a Sun SparcStation 10/30, it can be seen that we 
have significantly pushed forward the practicality of Pos. 

It is worth noticing that while the analyses based on Pattern(_Pos) are compu- 
tationally more complex than those simply based on Pos (Cortesi et al. measured 
a slowdown of around 20), they are also significantly more precise [8]. 

6 Conclusion 

We have studied the problem of efficient dependency analysis, and in particular 
groundness analysis, of (constraint) logic programs, using the Pos domain. As 
others have concluded that ROBDDs are the most efficient representation for 
use in this sort of analysis, we have concentrated on improving the efficiency 
of the operations needed during program analysis for ROBDDs. However, since 
many ROBDD operations have super-linear time cost, we sought to reduce the 
size of the ROBDDs being manipulated by removing certain information from 
the ROBDDs and representing it in a way specialized to its nature. We remove 
definite variables as in [2], storing them in a bit vector. The main accomplish- 
ment of this work, however, has been to remove all pairs of equivalent variables, 
storing them as an array of variable numbers. We have shown how this new 
hybrid representation significantly decreases the size of the ROBDDs being ma- 
nipulated. More importantly, analysis times are significantly improved beyond 
the significant speedup achieved in [2] . 
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Abstract. The purpose of this paper is to bring the most important 
and influential concepts of arrows between institutions, i.e., institution 
morphisms, plain maps of institutions, simulations, and (simple) maps of 
institutions into a common perspective. Based on three simple construc- 
tions for institutions — reindexing, change of syntax, change of semantics 
— we show, firstly, that each of these arrows can be equivalently char- 
acterized by the existence of a correspond intermediate institution that 
is related to both involved institutions syntactically or semantically, re- 
spectively. Secondly, we show that taking into account reindexing and 
restriction of semantics, we can describe any of these arrows as an in- 
stitution morphism (or dually as a plain map) between institutions of 
the same scheme. We also discuss the possible role of the intermediate 
institutions in applications. 



1 Introduction 



It is well-known that the (formal) software development process is usually car- 
ried out in a heterogeneous environment of methods, languages, formalisms, 
and platforms. More specifically, the need to use different logical formalisms in 
order to adequately specify different views of systems, brings with it the neces- 
sity of developing sophisticated tools in order to provide some sort of formal 
inter-operability in such a complex setting. Interesting and exciting work in this 
direction can be exemplified by the development of suitable notions of mappings 
between logics |5l8f2l1 2| , of very flexible logical frameworks HHI, of combination 
and synchronization of logics 1118114) . and of multi-paradigm languages |3]. In 
this paper we take the concept of institution as a formalization of the notion 
of logic. This concept focuses particularly on the model-theoretic aspects of a 
logical system. 

Briefly, an institution X = (Sign, Sen, Mod, consists of 



— a category Sign whose objects are called signatures; 

— a functor Sen : Sign ^ Set, giving for each signature a set whose elements 
are called sentences over that signature; 
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— a functor Mod : Sign°P ^ Cat, giving for each signature S a category whose 
objects are called if-models, and whose arrows are called A'-morphisms; 

— and a function ^ associating to each signature S a relation C \Mod{S)\ x 
Sen{E), called E-satisfaction relation^ 

such that for each arrow (f \ E\ —> S2 in. Sign the satisfaction condition 

M2 1=1:2 Sen{(f)){ipi) 4=^ Mod{4>){M2) hi:i 

holds for any M2 G \Mod{E2)\ and any ipi G Sen{Ei). 

Based on the satisfaction relation above, one is able to introduce the notion 
of semantical consequence between a set of sentences F and a sentence ip. More 
precisely, let S G |Sign|. Then a sentence ip G Sen{E) is said to be a semantical 
consequence in X of a set of sentences F C Sen{E), written F \=s ip, iff VM G 
\Mod(^E)\ : M \=s F M \=s 

Two derived structures of an institution, which will be of particular interest 
in this paper, concern the notions of the category of theories and of the gener- 
alized model functor. The category Th of theories (specifications) has as objects 
pairs {E, F) with E G |Sign| and F C Sen{E), and as arrows {4>, : (ifi, Xi) — > 

(E2,F2) signature morphisms 4> : Ei ^ E2 such that F2 \=s^ Sen{(j)){Fi). For 
a theory {E, F) we consider Mod^{E, F) to be the full subcategory of Mod{E) 
with M G \Mod^{E, F)\ iff M |=x' ip for all G X. The satisfaction condition 
ensures that for each arrow {(f, |=) in Th Mod{(f)){Mod\^{E2, X2)) is contained in 
Mod|=(Xi, Xi), i.e., we can restrict the functor Mod{(f)) : Mod{E2) Mod{Ei) 
to a functor Mod^{4>,\=) : Mod^{E2,F2) Mod^{Ei,Fi). Globally this 
means that we can extend the original model functor Mod : Sign°P — > Cat to a 
generalized model functor Mod^ : Th°^ — > Cat. The obvious projection functor 
from Th to Sign will be denoted by sign : Th ^ Sign and the embedding functor 
assigning E to {E, 0) by inj : Sign ^ Th. 

In the last decade, a number of different concepts of arrows between institu- 
tions were introduced. This variety is justified in principle by two reasons: firstly, 
the need to provide more flexible and general concepts in order to formalize 
properly relationships between logics. Secondly, to provide technical machinery 
suited to some particular application, as for instance, logical semantics of multi- 
paradigm languages or specification development with constraints expressed 
in different logical systems 0 . 

Arrows between institutions, say X and F' , are usually based on a translation 
X of signatures, a (natural) translation a of sentences, and a (natural) translation 
/3 of models. The essential point is that sentences and models are translated 
contravariantly. This contravariance means that, in general, only a part of X is 
related to a part of XC This relational nature of arrows can be made structurally 
explicit by a corresponding span characterization of each arrow. That is, each 
arrow between X and F' indicates the existence of an intermediate institution 
X™ that is related covariantly to both institutions X and F' . 

The purpose of this paper is to bring the most important and influential 
concepts of arrows between institutions, i.e., institution morphisms, plain maps 
of institutions, simulations, and (simple) maps of institutions into a common 
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perspective. The technical basis for our results is provided by the observation 
that each of the above mentioned translations gives rise to a simple construction 
principle for institutions, i.e., allows reindexing, a allows change of syntax, and 
(3 allows change of semantics. Taking into account reindexing and restriction of 
semantics, i.e., change of semantics with (3 a (natural) inclusion, we are able, 
moreover, to describe equivalently any of the considered concepts of arrows as 
an institution morphism (or dually as a plain map) between institutions of the 
same scheme, i.e., with the same category of signatures. 

Each concept of an arrow between institution determines a corresponding 
category. Readers interested in a comprehensive presentation of all these cate- 
gories, and in a systematic unifying study of all the functorial relations between 
these different categories, are referred to ^ 

2 Institution Morphisms 

We start our analysis with the original proposal for a formalization of arrows 
between institutions. 

Definition 1 (Institution morphism, |0 ) . LetX= (S\gn, Sen, Mod, \=) and 
X' = (Sign\ S'en^, Mod', |=^) be institutions. An institution morphism {<X,a,f3) : 
X ^ X' is given by 

— a functor : Sign Sign', 

— a natural transformation a : Sen Sen : Sign — > Set, and 

— a natural transformation (3 : Mod => Mod' : Sign°^ — > Cat , 

such that for each S G |Sign| the institution morphism condition 
M^sa{SW) ^ /3(r)(M) 

holds for any M G \Mod{S)\ and (p' G Sen □ 



Example 1. The running example presented in jS] concerns the relation between 
the institution of many-sorted first order logic with equality MSFOL^ and the 
institution of many-sorted equational logic MSEL. 

Firstly, forgetting predicate symbols, defines a functor : Sign^g^Q^,= ^ 
Sign^SBi with (p{S,OP,P) = (S,OP) for any first order signature \s,OP,P). 
Secondly, any equation in context {X t = u) G SenMSEL{S, OP) can be trans- 
lated into a closed first order formula (VAT : t = u) G SenMSFOL={S,OP, P), 
i.e., we actually have a natural transformation a : <P; Scumsel SenMSFOL= ■ 
Thirdly, any first order model M G \ModMSFOL={S,OP,P)\ has an underly- 
ing total algebra M\ G \ModMSEL{S,OP)\, where the interpretation of the 
predicate symbols is forgotten, i.e., we actually have a natural transformation 
f3 : ModMSFOL= => ModMSEL- The institution morphism condition for 
{X>,a,(3) : MSFOL"^ — > MSEL holds obviously. □ 
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One essential observation for logics with model theory concerns the con- 
travariance of translating sentences or models, respectively, along a signature 
morphism. This observation is formally fixed in the concept of institution and it 
seems “natural” to require such a contravariance also for arrows between insti- 
tutions. Goguen and Burstall use the category Trel of twisted relations to justify 
categorically the “naturality” of this choice. 

A crucial point for applications of arrows between institutions, is how seman- 
tical consequence in both institutions is related. 

Proposition 1. Institution morphisms (^, a,/3) : I — > reflect semantical 

consequence, i.e., for every E S |Sign|, every F' C Sen' (fl>{E)), and every ip' G 
Sen'{<I{E)): a{S){F') ^ F' p' . □ 

Now, we take a step back and try to look more structurally on the definition 
of institution morphisms. At a second glance we see that the category Sign can 
be considered to be the “syntactic scheme” of an institution X. Taking into ac- 
count reindexing of institutions we can describe institution morphisms as arrows 
between institutions of the same syntactic scheme. 

Proposition 2 (Reindexed institution). Let I' = {S\gr\' , Sen' , M od' , fy') be 
an institution and let <1 : Sign — > Sign^ be a functor. Then there is a reindexed 
institution , which can be defined as 

= (Sign, <P; Sen', Mod', fy^), 

dG ^ 

where for each E G |Sign| : |=^ ^ □ 

Proposition 3. {L>, a, fl) :X^X' is an institution morphism iff {idsign, ct, fl) '■ 
X — > is an institution morphism. □ 

Proposition El suggests to look for further constructions of new institutions 
that may be helpful in understanding and applying the different notions of arrows 
between institutions. 

Following this suggestion we will show next that the “syntax” of an institu- 
tion can be changed via a natural transformation a mapping the new syntax to 
the old syntax and that, analogously, the “semantics” of an institution can be 
changed via a natural transformation (3 mapping the new semantics to the old 
one. 

Lemma 1. Let be given an institutionX = (Sign, Sen, Mod, [=), a functor Sen" : 
Sign ^ Set with a natural transformation a : Sen" Sen : Sign — > Set, and a 
functor Mod" : Sign°^ ^ Cat with a natural transformation fl : Mod" ^ Mod : 
Sign°P — > Cat. Then for any 4> \ E\ ^ E 2 in Sign the following hold: 

1. M a{E 2 ){Sen"{cf){p")) ^ Mod{cj>){M) a{Ei){p") 
for any M G \Mod{E 2 )\ and p" G Sen"{Ei); 
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P{S2){M") hi:. Senm^) ^ fi{Sr){Mod" {4,){M")) hi:i 
for any M” G \Mod"{S 2 )\ and ip G Sen{Si). 

Proof. “1” : By the naturality of a and the satisfaction condition in X, we have im- 
mediately that M hi:. ot{E 2 ){Sen"{cl)){ip")) 4=^ M hi:. Sen{4>){a{Ei){ip")) 
^ Modmu) hi:i a(ri)(h0- 

“2”: Analogously. □ 

If we consider the patterns _ hi: 0 !(X')(_) and /3(i7)(_) hi: - as describing 
relations between |Mod(A')| and Sen"{S) or between \Mod" {S)\ and Sen{S), 
respectively, it is not difficult to see that the equivalences in lemma E own the 
shape of satisfaction conditions. For what institutions these satisfaction condi- 
tions hold is made precise in the next 

Proposition 4 (Change of syntax and semantics). Let be given an insti- 
tution X = (Sign, Sen, Mod, h)- 

1. For any natural transformation a : Sen” Sen : Sign — > Set there is an 
institution I|-^ , called X prefixed by a, which can he defined as X^^ = 
(Sign, Sen" , Mod, ha)) where for each S G |Sign| 

K.i:‘'= (idMod(r) X a(r)-i)(hi:) C \Mod{S)\ x Sen”{S), 
i.e., M ha.i: P>" iff M \=s a(A')(h')- 

2. For any natural transformation (3 : Mod Mod : Sign°^ ^ Cat there is 
an institution X|-^ , called X prefixed by /3, which can be defined as 21 = 
(Sign, S'en, Mod", where for each S G |Sign| 

h/3,i:‘'= X zdsen(i:))(hi:) C |Mod"(r)| x Sen{S), 

i.e., M" \=j3,s ip iff (}{S){M") \=s if. □ 

According to proposition |2| and proposition 0 we can consider for any insti- 
tution morphism (<P,a,P) : X X' , firstly, the institution X prefixed by a 

= (Sign, Sen , Mod, ha) 

and, secondly, the reindexed institution prefixed by f3 

= (Sign,^; Sen , Mod, 

Both institutions have the same category of signatures and the same sentence 
and model functor, respectively. Moreover, the institution morphism condition 
is equivalent to the requirement ha = hi p ■ 

Proposition 5 (Institution morphism condition). {(p,a,P) \ X^X' is an 
institution morphism iff d^\a~ p ■ 
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Proof. According to the definition of J |-^ and ^ we have that for any M G 

\Mod{S)\ and any tp' G Sen ' the conditions (M \=s a{E){(p') 4=^ 
/3(A)(M) ^') and (M \=a,s p' M \='^ ^ ^ p') are equivalent. □ 

To be able to describe the relation between X|-^ and I or ^ and 
respectively, we introduce the concept of institution transformation that can 
be understood to be a “pointwise” variant (for institutions) of the concept of 
pre-institution transformation in m 

Definition 2 (Institution transformation, |;7j). Let I andX' be institutions. 
An institution transformation (^, a, (3) : X — > X^ is given by 

— a functor : Sign ^ Sign', 

— a natural transformation a : Sen => <P; Sen : Sign — > Set, and 

— a natural transformation f3 : Mod => <L°P; Mod' : Sign°^ Cat 

such that the institution transformation condition 

M \=s p P{S){M) oi{^){p), 

holds for any S G |Sign|, M G \Mod{S)\, and p G Sen{E). □ 

The above concept of arrow between institutions correlates to the usual con- 
cept of (strong) arrow between first order structures: Abstracting from index- 
ing, we have structures with two carriers Mod, Sen and with a binary predicate 
\= C \Mod\ X Sen. A (strong) arrow between two structures {Mod, Sen, )=) and 
{Mod' , Sen' , |=') is given by two translations P : Mod ^ Mod' and a : Sen ^ 
Sen' , so that the truth of the binary predicate is not only preserved but also 
reflected. If we would like more intentional interpretation, we could also say that 
the satisfaction relation \=' can be used to “simulate” the satisfaction relation |= 
via a and /3. That is, analogously to proposition 0 we can prove the institution 
transformation condition to be equivalent to the requirement \=s= \=<^,a,j 3 ,s 
where (/3(X')“^ x a(A)“i)(|=, 2 j(£)) for each E G |Sign|. 

Now we can summarize our considerations so far by characterizing institution 
morphisms as spans of institution transformations. 

Theorem 1 (Intermediate institution). 

1. Let {<L,a,P) : X — > X' be an institution morphism. Then there is an institu- 
tion X™ = {Sign, <P; Sen' , Mod, |=™), such that the two triples 

{idsign^ (^^idMod) -X >T and {pL,id(p.Sen ' 1 P') -X ^X, 

define institution transformations. 

2. Vice-versa, given an institution X™ = {Sign, <P; Sen' , Mod, |=™) and insti- 
tutions transformations 

{idsignt idMod) -X >T and {pL,id<p.sen' i P') -X ^X, 

the triple {<P, a, P) : X — > X' defines an institution morphism. 
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Proof. “1”: We set I™ ‘^= ^ according to proposition 0 Since 

= \=a,s we have for any M G |Mod(i7)|, (p' G Sen' {<!>{S))-. M |=^ p' 4=^ 
^ \=s ct{S){p'). This shows that (idsign,cx,idMod) ■ I™ ^ I is an institution 
transformation. Further, we have M \=']i p' 4=^ j3{E){M) since 

1=^ = \='^ ^ jn. This shows that {<P, id$.sen',ld) ■ 1”' X' is also an institution 
transformation . 

“2” : The institution transformation conditions ensure = \=a and |=™ = \='^ ^ 

, respectively, thus we are done by propositions □ 

Theorem 0 tells that the presence of an institution morphism (<?, a, /3) : 
X ^ X' indicates the existence of an intermediate institution that is related 
syntactically to X and semantically (up to reindexing) to X' . The contravariance 
of a and /3 in (<P,a,P) : X ^ X' means that, in general, only a part of X is 
related to a part of X' . This relational nature of institution morphisms is now 
made structurally explicit by the span characterization. 

Example^ ( Continued) . The intermediate institution indicated by the institution 
morphism (<?,a,/3) : MSFOL^ MSEL is I"* = {S\gnj^gpQi^=,<I>; Schmsel, 
ModMSFOL= I H"*)- ct : Scumsel SenMSFOL= is a natural injection thus 

I™ = MSFOLJ can be seen as a syntactic subinstitution of M SFOL^ , i.e., 

as MSFOL~ restricted to equational logic. Note, that there are still predi- 
cate symbols in X'" but the predicate symbols are not used in the sentences. 

: S\gnpjgpQp= S\gnjyigpp and (3 : ModMSFOL= => <P°P] ModMSEL are 
surjective thus X™ = MSEL^^ ^ can be seen as a “semantical multiple” of 
MSEL. That is, for any algebra ’a G \ModMSEL{S, OP)\ and any {S, OP, P) G 
|SignMSFOL=l there are (infinite) many representatives of A, i.e., first order 
structures M G \ModMSFOL={S,OP,P)\ with M\ = A. Note, that as well the 
set P of predicate symbols as the interpretation of the predicate symbols is com- 
pletely arbitrary. □ 

We are not intending to start generalizing arrows between institutions on the 
basis of theorem D We will even not carry out the straightforward definition of 
corresponding categories of spans. Besides adding to the general understanding 
of different concepts of arrows between institutions, we are mainly interested 
to draw attention to the involved construction principles for institutions and to 
clarify the possible role of the intermediate institutions in applications. 

Note, e.g., that X and ^ have the same category of signatures and 

the same model functor such that the pattern o;(i7)(_) a(if)(_) can be taken 

to denote semantical consequence in I ^ . In such a way proposition 0 

could be interpreted also as stating that semantical consequences are reflected by 
the institution transformation {<P,id,p.^sen' ■, — > X^ In general, 

semantical consequences are reflected by any institution transformation. 

One of the main applications of institution morphisms presented in 0 is 
the construction of so-called duplex (and multiplex) institutions. We will sketch 
this construction in view of our above results: let X' be an institution which 
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admits some special constraints, say, free constraints, as for instance the in- 
stitution of many-sorted equational logic. Thus, out of l' , we might define a 
new institution C(X') = {S\gn , Seufree, a new sentence functor 

Sen free '■ Sign ^ Set and a new satisfaction relation (see 0 for details 

about free constraints). Given an institution morphism (<P,a,l3) : X — > X' , we 
can relate X and C{X') with the pair {fP, j3) : X ^ C{X') (without any condi- 
tion) called an institution semi-morphism in I15I1I . Now we can construct the 
institution 



C{X') = (Sign, <?>; Seufree, Mod, \=ij) 

with the same category of signatures and the same model functor as X, thus 
we can finally make a disjoint union of both sentence functors with satisfaction 
defined separately. 

Proposition 6 (Sum of sentence functors). Given two institutions X\ = 
(Sign, S'eni, Mod, 1=^) ond X 2 = (Sign, S'en 2 , Mod, |=^) we can define a new in- 
stitution Xi-\-X 2 = (Sign, 56711+2, Mod, ^^“'■^) with 5erii+2(A') Sen\{S) U 
Sen 2 {S) and |=^U \='^ for each S G |Sign|. □ 

The institution X-\-C{X') ^ is called the duplex institution over {<P, a, (3) in 

0. Note, however, that a and thus the institution morphism condition are not 
necessary for constructing X -\- (7(1^) |-^^. Using the above mechanism we can 
extend the syntax of X by the syntax of as many institutions X” as we want as 
long as we find a way to map signatures and models from X to X” . 

3 Plain Maps 

To account for relevant examples of relations between institutions a group of new 
concepts of arrows was introduced in [B|. The plain variant mapping signatures 
to signatures is presented in 

Definition 3 (Plain map of institutions, jS]). Let X = (Sign, Sen, Mod, |=) 
and X' = {S\gr\ , Sen! , Mod' , |=^) be institutions. A plain map of institutions 
a, (3) \X^X' is given by 

— a functor <P : Sign ^ Sign', 

— a natural transformation a : Sen =4> Serf : Sign — > Set, and 

— a natural transformation (3 : <P°P; Mod' => Mod : Sign°^ ^ Cat 

such that for each S G |Sign| the plain map condition 

P{S){M')^sif ^ M' o(U)((^) 



holds for any M' G |Mod'(^(i7))| and tp G Sen{S). 



□ 
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Example 2 m)- Consider the institutions of many-sorted equational logic 
MS EL and of unsorted equational logic EL, respectively. 

Firstly, forgetting sort symbols defines a functor — > Sign^^ 

with (p{S,OP) = OP for each many-sorted equational signature (S,OP) G 
|Sign^g£^|. Secondly, any equation in context {X t = u) G SenMSEL{S,OP) 
can be considered as a sentence in (t = u) G SenEbi^iS, OP)) once we omit the 
sort declaration of variables. This gives a natural transformation a : Scumsel 
SeuEL- Thirdly, any unsorted algebra M G \ModEL{^{S, OP)) \ gives a many- 

sorted algebra /3(5, OP) (M) £ \ModMSEL(S,OP)\, where P{S,OP){M)s '^= M 

for every s G S, and '^= op^ for each op G OP. This situation de- 

livers a functor j3{S,OP) : ModEL{^{S,OP)) — > Mod{S,OP), and globally a 
natural injection f3 : ModEL ModMSEL- 

The plain map condition can be validated by observing that the assignments 
of X into (3{S,OP){M) are in one-to-one correspondence to the assignments of 
the corresponding unsorted set |J X of variables into M since all components of 
[i{S,OP){XI) equal the carrier of M. □ 

Taking into account reindexing of institutions plain maps of institutions can 
be presented as the dual of institution morphisms. 

Proposition 7. (^, a, (3) : X — > is a plain map of institutions 

(O') iff {idsigmOi, ff) : X ^ Xj^ is a plain map of institutions 

(b) iff {idsigmOi, ff) : Xj^ L is an institution morphism. □ 

This duality allows to adopt immediately all results of the last section for 
plain maps: We can consider for any plain map of institutions a, ff) : X — > L' , 
firstly, the the reindexed institution Xj^ prefixed by a 

Xj^_^ = (Sign, Mod', hi, J 

with = {idMod'('P(s)) X a(^)"^)(l=i(i;)) for each X" £ |Sign|, and, sec- 

ondly, the institution X prefixed by jd 

1\p = (Sign, Sen, Mod', \=fs) 

with \=i3^E = iP{^)~^ X idsen(s)){\=s) for each X £ |Sign|. The plain map 
condition is equivalent to the requirement |=/ 3 =|=iQ,- Finally a plain map 
a, P) : L —> L' can be characterized uniquely by the existence of an interme- 
diate institution X™ ‘^= X |-^ = Xj^ ^ such that the two triples 

ifdsigji, idg^ji, P) . X > X and (^, ex, id.pop . X > X , 

define institution transformations. This follows directly from proposition Q and 
theorem Q if we take into account that the institution transformation pL, a. 
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id<pop.Modi) '■ I™ — ^ can be decomposed into {idsign,oi,id<i>op.Modi) '■ I™ ^ 

and ^ idtpop.j^Q^/^ . iZi|-^ 

Example\^ ( Continued) . The intermediate institution indicated by the plain map 
(<l>,a,/3) : MSEL ^ EL is I"* = {Sign^sEL, Schmsel, <P°P;ModEL, h™)- K 
represents what both institutions MSEL and EL have in common according to 
{<P, a, (3). X"* = EL^^ ^ is as EL but with possible additional (sort) restrictions 
for building terms. Compared to M SEE we lose in X™ = M S EL the flexibility 
of choosing in models different components for different sorts. □ 

Typical applications of (plain) maps within system specifications are situa- 
tions where <L> and a represent an extension or change of the syntax of institution 
X. As long as the models of the new syntax can be related to the models of X we 
can (partly) save the work on specifications already done in X. By Xj^ ^ = X 
we can keep the old syntax but now equiped with new semantics. Note, that 
only in case (3 surjective consistency of specifications will be saved. The institu- 
tion transformation {<P,a,id-pop-Mod') • > X' provides further the basis for 

building structured specifications with mixed syntax (see the next section). 
Example^ (Continued). The functor <L : S'\gn;^gpQ]^= S'\gr\p[gpp has a left- 

adjoint E : S\gnMgpp ^'g'^MSFOL= with E{S,OP) (S',OP,0). This 
means, by a general result 1 1 Iti) . that the institution morphism {<P,a,l3) : 
MSFOL^ MSEL can be equivalently represented by a plain map {E, a', j3') : 

MSEL MSFOL^ where in this example a' : Scumsel ^ d'] SenMSFOL= 
becomes a natural injection and (3' : E; ModMSFOL= ModMSEL becomes 
even a natural isomorphism. That is, MSEL^^, = MSFOLJ^ , is just as 

MSEL but now considering algebras M € |Mo<iMSBL(5', OX*)! as first order 
structures M € \ModMSFOL={S,OP,t!))\. □ 

4 Simple Maps and Simulations 

There are many situations where we can translate signatures and sentences of an 
institution X into signatures and sentences of another institution X^, but, where 
only subclasses of the corresponding model classes in I' can be translated back 
into models of X. Fortunately, we are able in most cases to axiomatize these 
subclasses within l' . 

Definition 4 (Simple maps of institutions, jS]). Let X and I' he institu- 
tions. A simple map of institutions (<?, E,a, )3) : X — > L' is given by 

— a functor : Sign — > Sign', 

— a functor E : Sign ^ Th' with E; sign' = L>, 

— a natural transformation a : Sen <h; Sen : Sign ^ Set, and 

— a natural transformation (3 : Mod'\^i Mod : Sign°^ — > Cat 
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such that for each E G |Sign| the simple map condition 

holds for any M' G \Mod't^^,{fP{E))\ and ip G Sen{E). □ 

Remark 1. We denote by 0^ C Sen (<P{S)) the set of axioms induced by the 
translation of the signature S along the functor S', i.e., 'R{E) = {(^{E), 0^). □ 

Example 3 m)- Consider the institutions of many-sorted equational logic 
MS EL and of (unsorted) first order predicate logic with equality FOL^, re- 
spectively. 

Firstly, the functor Sign^O^= is given by translating any 

many sorted signature E = (S,OP) into the first order signature (OP,Ps) 

with unary typing predicates Ps = {tTs | s G S'}. Secondly, any equation 
in context ip = (X \- t = u) G SenMSEL(^), where X is an S-sorted fam- 
ily of variables, can be translated into a first order sentence (Va;i,... ,x„ ■ 
TTsi (a:i)A. . .AtTs^ (x„) ^ t = u) G SenpoL= (OP, Ps), i.e., we actually have a nat- 
ural transformation a : Scumsel SenpoL= ■ Thirdly, the introduction of 
typing predicates allows to extract a i7-algebra A out of any (OP, Ps)-structure 

M where As ‘^= {m \ Tr^(m)} and op^ : x • • • x As^ As is the corre- 

sponding restriction of op^ : M x • • • x M ^ M. In general, we obtain by this 
procedure partial operations op^, so that we have to restrict the translation to 
those (OP, Ps)-structures M that represent total i7-algebras, i.e., structures M 
satisfying the set of additional axioms 0'^ = {Va;i,... ,Xn : tTs^ (xi) A. . .Att^^ (a;„) 
— > 7Ts(op(a;i, . . . ,Xn))\op G OP}. This gives rise to a functor <E : Sign^^^j^ ^ 
TfiFOL= and a natural transformation (3 : 'E°P; ModpoL=\= ModMSEL- Note, 
finally, that the typing premise 7Tg,^(a;i) A ... A 7Tg^(a;„) in a(E)(ip) ensures that 
all first order representatives of an algebra A will satisfy a(E)(ip) if A satisfies 
ip. The implication into the other direction would be valid even if we omit the 
typing premise. □ 

According to the definition of generalized model functors and the assumption 
sign' = <? we have 

Corollary 1. Let be givenX, <P, and W as in definition^ Then there is a natural 
inclusion in,;, : <E°P; Mod'^, Mod' : Sign'’’’ — > Cat . □ 

Using the functor ^ : Sign — > Sign’ and the natural inclusion in^ we ob- 
tain according to proposition El and proposition 0 the (semantically) restricted 
reindexed institution 

= (Sign,<l>;^en',tf''’^’;Modp,hi,„J, 

where C \Mod'^,(E{E))\xSen {<P{E)), since pre-images w.r.t. 

inclusions are actually intersections. The institution X} , . fixes the result of 
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cutting out those models of that can be related to models in X. As an 
immediate consequence of the definition of . we have 

Corollary 2. (<P,id^-semin,p) : X'^^ X' is an institution transformation. 

The simple map condition includes universal quantification on | M od|^/(>f'( A)) | , 
and thus it can be seen as relating satisfaction in X and in a plain way. 

Proposition 8. (^, P) : X — > X' is a simple map of institutions 

(o-) iff (idsign, cx, P) : X — > Xj^ is a plain map of institutions 

(b) iff (idsign,o:, P) : ^ X is an institution morphism. □ 

The span characterization of institution morphisms in theorem Q provides 
now for any simple map (^, S', a, /3) : X — > X' an intermediate institution 

X™ X^^= = (Sign, 5en, Mod\^„ h"*) 

and a span of institution transformations 

{idsign, idsen,P) : X™ ^ X and (S, a, in^) : X™ ^ X'. 

In contrast to plain maps we can not fully characterize simple maps by the 
corresponding span of institution transformations, since only the intermediate 
model functor Mod'll : Sign°P — > Cat and not the axiomatization W : 
Sign ^ Th' of this functor can be reconstructed from the span. 

The application of simple maps within system specifications is the same as 
for plain maps. By X™ = X|-^ = Xj^ ^ we have the old syntax of X with 

new models borrowed from X' . The crucial difference is that the borrowing is 
not complete, i.e., the institution transformation (<P,a,in^) : X™ — > X' is not 
surjective on models. The good point, however, is that the codomains of in^ can 
be axiomatized within X , thus we have still a proper basis for building structured 
specifications with mixed syntax: Structure specifications in an institution X are 
usually modeled as diagrams of theories (specifications) and theory morphism 
in Th. Using (<P,a,in^) : X™ — > X' we can now relate theories in Th™ and 
Th, where Th™ denotes the category of theories derived from the intermediate 
institution X™ = Xj^ Th is a subcategory of Th™ with |Th| = |Th™| 

where Th becomes a proper subcategory of Th™ if P : Mod'\^, => Mod is 

non-surjective. Any natural transformation a : Sen <P; Sen allows to extend 

the functor W Sign ^ Th^ to a functor tf'o, : Th — > Th^ by defining 'f'a(Ti', X) ‘^= 
{<P{E),a{S){r) U 0'j;). The simple map condition ensures that this also defines 
a functor : Th™ ^ Th' where we have (X°P; = 'X°^-,Mod'^, 

for the generalized model functor Mod'^,)\^m : Th™ — > Cat of X™. Note, 
that the equation makes explicit that the semantical effects of the partial model 
translation P can be syntactically coded by X and a. 
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Structured specifications with mixed syntax can be given, now, by theories 
in Th™ inTh' and morphisms in Th’” and Th', respectively, together with mor- 
phisms i4>,\=') ■ {S',r') relating specifications of different syntax 

(compare the extra theory morphisms in P|). 

Example (Continued). The intermediate institution indicated by the simple 
map : MSEL ^ FOL= is I™ = {S\gnMSEL, Scumsel, 

ModpoL=\=,\="^)- It can be proved that (3 : ModpoL=\= ModMSEL 

is a natural surjection such that I™ = MSEL^^ can be seen as a semantical 
multiple of MSEL, i.e., any algebra in MSEL is now represented by possibly 
infinite many first order structures. L> : ^ Sign^Q^= is injective and 

a : SeuMSEL ^ SenFOL= is a natural injection thus I™ = FOLf^ can 

\'P.in<p,oc 

be considered as a semantical and a syntactical subinstitution of FOL^ . □ 

Remark 2. Note, that functors W : Sign — > Th^ and the corresponding construc- 
tion of the institution appear in practice if we want to use signatures 

with “syntactic sugar” as, e.g., attributes for operation symbols like total, asso- 
ciative, and so on. Sign is the category of the intended signatures with “syntactic 
sugar”, E : Sign — *■ Th' resolves the “syntactic sugar”, and is the institu- 

tion J' but now equiped with “sugared signatures”. This technique is. e.g., used 
in uni to define the institution underlying the specification language CAST, i.e., 
the institution of coherent order-sorted algebras enriched with sort contraints. 
In this case L' is the institution of many-sorted partial first order logic with 
equality. Sign is the category of subsorted signatures, and W translates relations 
between sorts into extra operation symbols and conditional equations. □ 

In cases where the logic of 2' is not strong enough to axiomatize the interme- 
diate model functor we can use the notion of simulation [21 that is based directly 
on a partial translation of models. Note, that we could force such a situation in 
example 0 by chosing EL instead of FOL^. 

Definition 5 ((Weak) Simulation, P|). Let 2 and 2' he institutions. A weak 
simulation (2>,a,l3p) : X — > X' is given by a functor : Sign — > Sign^, a natural 
transformation a : Sen => L>; Sen : Sign — > Set, and a partial natural trans- 
formation Pp : L>°P-,Mod' Mod : Sign°P ^ Cat, i.e., a family of functors 
P{E) : dom{Pp{E)) — > Mod{S) with dom{Pp{E) C Mod' {d>{E)) such that for 
any (/) : I7i — > E 2 in Sign 

(a) Mod' {'P{(j))){dom{Pp{E 2 ))) C dom{Pp{Ei)) , and 
(h) domiPpip)); P{Ei) = P{S 2 ); Mod{cj)) 

for the corresponding restriction dom{Pp{(j))) : dom{Pp{E 2 )) dom{Pp{Ei)) of 
the functor Mod' {2>{(j>)) : Mod' (< 2 (^ 2 )) — *■ M od' i)) that is well-defined by 
condition (a). Moreover, for each E G |Sign| the simulation condition, 

P{E){M')^e^ ^ M' o(A)(^) 

holds for any M' S \dom{Pp{E)\ and ip G Sen{E). 
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(4>,a,Pp) is called a simulation if additionally f3{S) : dom(Pp(S)) —>■ Mod{S) 
is surjective on \Mod{E)\ for each E S |Sign|. □ 

The information assumed about the partial natural transformation above can 
be presented in a more structured way. 

Corollary 3 (Partial natural transformation). A partial natural transfor- 
mation l3p : <l>°P]Mod' => Mod : Sign°P — > Cat as in definition can be equiva- 
lently described by 

— a functor dom{f3p) : Sign°P — > Cat, 

— a natural transformation j3 : dom{Pp) => Mod : Sign°P —> Cat, and 

— a natural inclusion in : dom{/3p) => Mod' : Sign°P ^ Cat. □ 

The absence of an axiomatization of the intermediate model functor dom{j3p) : 
Sign°P ^ Cat via a functor W : Sign ^ Th' is the only difference between weak 
simulations and simple maps. Hence, we can directly assume the corresponding 
versions of corollary |3 and proposition 0 for simulations. The span characteriza- 
tion, however, applies to weak simulation right because there is no axiomatization 
to be taken into account. 

Theorem 2 (Intermediate institution). 

1. Let (L>,a,Pp) : 2 L' be a weak simulation. Then there is an institution 
I™ = (Sign, 5'en, c?oto(/3p), |=™), such that the two triples 

{idsign, idsen,P) : T™ ^ X and a, in) : X™ ^ l' , 

define institution transformations. 

2. Vice-versa, given an institution I™ = {Sign, Sen, dom{l3p),\='^) and insti- 
tution transformations 

{idsign,idsen,P) ■ n"' ^ n and {d>,a,in) : ^ I' , 

with in : dom{/3p) <P°P;Mod' : Sign°^ ^ Cat a natural inclusion, we can 
define a partial natural transfromation fdp : T>°P;Mod => Mod : Sign°^ ^ 
Cat , such that the triple {<P, a, fdp) : X — > defines a weak simulation. 

Proof. Follows directly from propositions and theorems where we have to take 
into account that the institution transformation {T>, a, in) : X™ — > T' can be de- 
composed into {idsign,a,idd,om(f3p)) -1”' *'^<5 ;Sen' , w)Xj_^^^^ ^ 

X'. □ 

To make the paper complete to a certain point we will finally state how 
general maps of institutions 0 could be described (see 0 for details). 

Proposition 9. Let be given institutions X, X' and functors : Sign — > Sign^, 
T : Th — > Th^ such that sign;<P = T;sign'. Then {T>,T,a, j3) \ X ^ X' defines 
a map of institutions in the sense of 0/ ijf {{mr, T)„)“P; Mod'^, = T°p- M od'^, 
and {<P,inj;T, a, P) : X ^ X' is a simple map of institutions in the sense of 
definition^ □ 
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Note, that {inj; T)a and T are different. A map is just a simple map with 
an additional translation of theories. This additional translation, however, does 
not matter so much since its semantical effects, and thus also its logical effects, 
were already described by the simple map. In such a way there is nothing to say 
additionally concerning general maps in view of the considerations and results 
of this paper. 



5 Concluding Remarks 

The concept of institution is a very abstract formalization of the notion of a logi- 
cal system. Nevertheless, it became very helpful during the last decade to present 
logical systems in a uniform way, to develop a general theory of structured and 
modular specifications, to describe and investigate translations of logics into 
universal frameworks, and so on. 

Driven by different application needs, concepts of arrows between institutions 
are often formulated in a very involving technical way. By keeping the abstract 
level of consideration, we were able to give a well-structured presentation of these 
concepts and of their relations. The crucial observation was that any translation 
of signatures, sentences, or models, respectively, gives rise to the construction 
of a new institution. Based on these constructions we were able to describe any 
arrow as an arrow between institutions of the same scheme, i.e., with the same 
category of signatures. Thus at this abstract level, institution morphisms and 
plain maps appear as dual concepts. Further, we have seen that any arrow can 
be characterized by the existence of an intermediate institution. 

We hope that the achieved clarification of the nature of the considered con- 
cepts of arrows will provide a better basis for a general understanding and a 
broader use of these important concepts. Moreover, we think that the concepts 
and results of this paper should provide an appropriate conceptual level for a 
concise and well-structured development and presentation of all the results con- 
cerning programming in the huge, multi-paradigm languages, combination of 
logics, and so on. 



Acknowledgment: We are indebted to the anonymous referees of this paper for 
the very helpful criticisms. They gave us a chance to make a significant revision, 
and hopefully also to achieve a considerable improvement in the presentation as 
well. 
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Abstract. This paper presents a solution to the so-called oracle prob- 
lem for oracles derived from flat algebraic specihcations expressed in 
first-order logic. The oracle problem in this context reduces to the gen- 
eral problem of comparing two values of a non-observable sort and also 
to the limitations imposed by quantifiers. The solution is based on con- 
structing an oracle where equality between values of a non-observable 
sort is computed by one of two “approximate” equalities, according to 
the context in which the equation occurs. The interpretation given by the 
oracle does not make any assumptions on test sets and depends on how 
these equalities approximate the behavioural equality, which is based on 
behavioural theories, and also on the use of quantifiers. 

Keywords, specihcation based-testing, algebraic specification, formal 
verification, oracle, correctness. 



1 Introduction 

A considerable number of works in the area of specification-based testing have 
pointed out that testing can be successfully used in the formal development of 
software. The aim is to derive test suites from a specification so that testing can 
be applied whenever formal proofs are not cost-effective. Moreover, the combi- 
nation of formal proofs and testing can help to produce high integrity systems in 
a cost-effective way [7[|H1. However, a great effort is still needed in order to have 
testing as a standard activity in formal frameworks. For instance, the accurate 
interpretation of testing results seems to be a crucial point. 

The process of testing programs consists not only in submitting various com- 
binations of input values to them but also giving a coherent interpretation to 
the results produced by them when receiving these values. Along with selecting 
test data sets, specialised mechanisms to assist the testing process, widely called 
oracles, may also be carefully planned. However, the literature on specification 
based testing has mainly concentrated on refining test sets. Some exceptions are 
the works of Bernot (Ij and Gaudel |E| in the context of positive conditional 
specifications and Le Gall and Arnould jn| which gives an interpretation by us- 
ing institutions of observable results obtained from dynamic testing. Also, Dick 
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and Faivre |2| and Richardson et al m pointed out that formal specifications 
can be used as oracles for software testing. Although some theoretical issues 
about oracles have already been considered, a feasible method has not come out 
yet. Furthermore, the reasons for defining automated oracles are quite obvious: 
human oracles are usually imprecise and error-prone while automated oracles 
derived from consistent and unambiguous sources can lead to more efficiency, 
feasibility and reliability in the testing process. Also, any efforts to refine test 
sets can be useless without having an effective and accurate oracle, but we show 
in this paper that oracles can be defined independently from test sets. 

Here we concentrate on generating oracles from algebraic specifications ex- 
pressed in first-order logic rather than either refining test sets or defining levels 
of correctness, although some hints on these are given insofar as it is quite un- 
reasonable to investigate one of these subjects without considering the others. 
We do not only stay in the field of pure specification-based testing, but also con- 
sider “white-box” techniques. More precisely, we are concerned with the oracle 
problem, that is, whether there is a decidable oracle for interpreting the results 
of a testing experiment. As Gaudel 0 pointed out, the oracle problem often 
reduces to the more general problem of comparing values of a non-observable 
sort which make oracles undecidable in general. However, the use of quantifiers 
in specifications can make the oracle problem even more difficult than in the 
context of positive conditional specifications which have been investigated so far 
as infinite test sets may be required. We aim at giving a solution to 
this problem, that is, given a specification of programming task, how an oracle 
and, more precisely, an equality procedure for non-observable sorts may be con- 
structed and what can be concluded about the correctness of the program being 
tested. 

The paper is organised as follows. Section |2| presents a formal definition of 
oracle and test set along with a general correctness theorem. Section|3 approaches 
the oracle problem and presents some proposals on how to define equality for non- 
observable sorts. Section 21 introduces the idea of an approximate equality and 
oracle and the main important theorems of the paper which underlie the method 
of generating oracles proposed in section 0 Section El presents an application 
of this method to the unification algorithm. Finally, some concluding remarks 
along with pointers for further work is given in section Cl In the sequel, we 
assume the reader is familiar with general concepts of algebraic specifications 
m- Extended ML ^ (EML) is used in the examples, but the notation is mostly 
self-explanatory. Let SP = (L',^) be a specification, where S = (S,F) is a 
signature and <P is a, set of axioms, and let Ts{X) be the A-term algebra, where 
X is an iS-indexed set of countable infinite sets of variables. For any two A-terms 
t and t' of the same sort, t = t' is a A-equation and first-order A-formulas are 
built from A-equations, logical connectives (^,A,V,=>,<J4>) and quantifiers (V,3). 
A A-formula without free variables is called a A-sentence. Also, let V ar{t) denote 
the set of variables occurring in a A-term t. For any A-algebra A and valuation 
V : X ^ |A|, there exists a unique A-homomorphism : Ts{X) — > A which 
extends v. The value of t S \Ts{X)\s in A under v is G |A|s, where s G S. 
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If t € Tjj, that is, t is a ground i7-term, the value of t in A is ^(t), where 
: Ts — > A is unique. 

2 Basic Concepts 

When verifying a program against a specification, oracles should check the results 
obtained from tests against exactly what was specified for each function. The 
best way of verifying a function, which is the procedure adopted by formal 
proofs, is to check if it satisfies its axioms rather than comparing the values it 
produces with pre-defined targets. So, testing a function may not be different 
if we would like to reach similar conclusions regarding correctness. Definitions 
n and 0 follow this idea and give our view of what a test set and an oracle for 
a specification are. These definitions differ from the standard ones in the sense 
that test sets are defined as a subset of the operations’ domain in the standard 
theory of testing and as a subset of the carrier sets of an algebra in definition 
n that is, test sets are defined for each operation in the former and for a whole 
algebra in the latter. Moreover, the standard definition of oracle is based on the 
standard practice of testing where each operation is individually executed for 
all values of a test set and the results are compared with the target ones, while 
definition 0is a specific and automated way of interpreting the general notion of 
behavioural satisfaction of if-formulas nini and the results are verified rather 
than compared with targets. The reason for this is that in order to formally 
verify an implementation, all axioms are proved without being sorted out rather 
than treating individual functions separately. As we are considering behavioural 
satisfaction, test sets should only have values which can be expressed by a ground 
term in Ts- 

Definition 1 (A-test set). Let A be a E -algebra. T = {Tsjsgs is an A-test 
set tfTC |#(Ti:)|, i.e., C |#(Ti:)U for all s G S. 

Let a behavioural equality be a partial congruence relation 
that is, a symmetric and transitive relation on A which is compatible^ with E 
P]. A behavioural equality is total if it is reflexive, that is, for all a in A, a a 
(the subscript s is omitted for the sake of simplicity). Also, for any set Obs of 
observable sorts, ^obs,A will denote an observational equality with respect to 
Obs, a special case of the behavioural equality where related elements are those 
that cannot be distinguished by observable computationsQ In the sequel, the 
family «:! = a) A^A ig{s) will denote a A-behavioural equality. 

V y* . Si . . . Sn ^ S, Ui, bi . Ag^ • Ui ^A,Sj^ bi f (fll . . . (Tn) f (5l . . . fen) 

^ Let Cobs be the set of all X'-contexts Ts{X U ^g) of observable sorts where Zs is 
a context variable. Values a and 6 of a non-observable sort s are observationally 
equal a ~obs,A b iff they cannot be distinguished by observable contexts, i.e., VC G 
CobsVa : X |A|-af (C) = af (C), where a* : Ts{X) \A\, and Qa, Oi, : XUZa 
|A| are the unique extensions of a defined by aa{zs) = a and ai,{zs) = b. 
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Definition 2. Let A be a S-algehra, let T he an A-test set, and let ^ be a 
E -behavioural equality. The interpretation of a first-order E-formula under a 
valuation a \ X ^ \A\ is given as follows. 

def 

1- = = it'h 



2. 




3. 


bPi 




= © I^ 2 la’^, where © = {A, V} 


1 


1^1 




= ^ IV'2l~’^ 


5. 


1^1 




= 1^1 ^ V'2la’'^ A l-lp2 ^ 


6. 


fVx 






7. 


I3x 







where a[x ^ v] denotes the valuation a superceded at x by v. 

When S' is a A'-sentence, then for any valuations a and /3. 

So, we write without the subscript. 

Definition 3 (S'P-Oracle). Let = {(j>i,(j) 2 , . • . , 4>n] he the set of axioms of a 
flat specification SP, where each (f>i is a first-order E -sentence, let be a E- 
behavioural equality, let Abe a E -algebra, and let T be an A-test set. A SP-oracle 
O for verifying whether A conforms to SP on T is as follows. 

0{T) = [</.! 



Example 1 (SP -oracle). A SP-oracle for a stack specification S with the usual 
operations and axioms is given by the oS function below where axioms are 
grouped to test all functions at the same time. The test set consists of a list 
of stacks and a list of integers. The o-forall function which implements the V 
quantifier is also given below. 

fun oJbrall [] pred = true | 

oJorall (xr.xs) pred = (pred x) andalso oTorall xs pred; 

fun o_S {Is, In) = oTorall Is (fn s oTorall In (fn n 

(top(push(n,s)) = n) andalso (pop(push(n,s)) == s) andalso 
(is_empty(push(n,s)) = false) andalso (is_empty(empty) = true))) 

where “==” is a specificational equality construction in EML, which makes the 
O-S function non-executable, unless an explicity equality on stacks is defined. 
Section 0 addresses this problem. □ 

Exhaustive test sets which exercise a program with all possible combinations 
of values are usually infinite and some refinements must be applied to make them 
finite. Test sets may be also valid and/or unbiased 0E1 in the following sense. 

Definition 4 (Exhaustive, Valid and Unbiased A-test sets). Let O be a 

SP-oracle, T he an A-test set and D — |^(Ti;)|. 
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— D is an exhaustive A-test set; 

~ T is a valid ^-test set iff 0{T) = true implies 0{D) = true; 

— T is an unbiased yl-test set iff 0{D) = true implies 0{T) = true. 

Any T C D is always unbiased in the context of positive conditional specifi- 
cations investigated in p]. Nevertheless, T is not always unbiased in general. For 
example, if ^ has only existential quantifiers then 0{T) = true 0{D) = true 
for any T but the converse may not hold. 

Theorem 1 (Correctness). Let ~ be a E -behavioural equality, such thatVv ■ 
vsev^v G *Te, let T be an A-test set and let O be an SP-oracle where the 
standard equality is interpreted os If T is valid and unbiased, then A 
iff 0(T) = true, where is the behavioural satisfaction relation w.r.t. «. 

Proof. Follows from definitions 0and0 and the fact that « is reflexive on values 
of ground terms by the compatibility condition. □ 



3 The Oracle Problem 

In this section, we introduce some approaches to tackle the oracle problem. In- 
spired by work on behavioural theories where equality between two elements of 
an algebra is interpreted by the behavioural equality | 2 |, we focus on compar- 
ing two values of a non-observable sort, along with the limitations imposed by 
quantifiers which are also central to the oracle problem. 

Revisiting example ^ if can be noticed that oS is not computable because 
the evaluation of “==” is undefined. Also, the arguments Is and In are likely 
to be infinite due to the V quantifier. One way of verifying “==” is to interpret 
it up to observational equivalence, that is, “==” can be interpreted by the 
observational equality «o6s for an appropriate choice of Obs. However, this 
does not solve the problem raised by the quantifiers and aiso an oracle which 
interprets equality up to observational equivalence should check all observable 
contexts which is likely to lead to an infinite process. Gaudel p] argued that 
“oracle hypotheses” may be applied in order to reduce the number of observable 
contexts and restricted the use of observable contexts as oracle only to those 
positive conditional specifications where all equations in preconditions are of 
observable sorts. The reason for this restriction was that when considering only a 
subset of observable contexts to interpret equality, an equality can be erroneously 
found to be satisfied and if this equality is in the premises of a conditional 
axiom then the axiom can be erroneously found not to be satisfied, leading to 
the rejection of correct programs. However, even if this restriction is applied, 
incorrect programs are likely to be accepted, which is not a crucial mistake since 
testing has been regarded as not suitable for proving correctness, that is, the 
complete absence of errors, but for showing the presence of errors Pj. 

The problem that arises here is how « can be derived from a finite set of 
observable contexts. As this will not always be possible plEj, we suggest that an 
equality ~ which approximates « may be defined instead. For this, following |2|, 
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we define a “lifted” signature C{E) = {~g: s s}sgS where ~s is a predicate 

defining equality between two terms of sort s, introducing an explicit denotation 
for ~A,s- From a if-algebra A we define a lifted £(if)-algebra £(A) satisfying 

dcf 

the property that it is the unique extension of A defined by C{A)\s = A and 
for any s G S, = ~a,s- If is a if-sentence, C{(p) is its lifted version 

generated by substituting for “=” in (j>. Then, C{SP) = {C{S) , is 

the lifted version of SP, where = {£((/)i), . . . £((/)„)}. A lifted version of a 
S'P-oracle O is a £(S'P)-oracle named £(0). The idea is to test £(A) against 
C{SP) using £(0) instead of A against SP insofar as it might not be possible 
to test A against SP because O is not executable. From (f> if and only 

if C{A) ^ £(</)), where |=~ is the behavioural satisfaction relation. 

One may consider three possible ways of defining for non-observable sorts. 
For instance, the result of comparing two values v = v' oi sort s in a A-algebra 
A may depend on the internal and concrete implementation of s. Then, one 
way of defining which is named the white-box approach relies on defining a 
congruence relation by using details about the concrete representation of s. This 
approach does not consist in explicitly specifying and implementing equality for 
all new sorts, because the equality computation may only be necessary at testing 
time. The idea is that the implementation under test remain unchanged while 
the lifted version incorporates the explicit definitions of equality which avoids 
introducing bugs in the programs. 

Another way of defining which is called the black-box approach consists 
in using observable contexts provided by the abstract formal specification. This 
approach was first investigated by Bernot ^ and Gaudel in the context of 
positive conditional specifications and by Le Gall and Arnould We propose 
that a finite axiomatisation of the observational equality may be derived from 
a method which is based on the guidelines and results obtained by Bidoit and 
Hennicker in order to prove the behavioural validity of first-order formulas. 
This method can be applied in the context of first-order specifications including 
quantifiers. Basically, an appropriate finite subset of observable contexts, namely 
the so-called crucial ones, is chosen and if this does not lead to an adequate 
axiomatisation of the equality, than the initial specification is incremented with 
a hidden part. For lack of space, the full method is not presented here. This 
approach would be appropriate in most of the general cases where the chosen 
set of observable contexts is descriptive enough to avoid defining a hidden part. 
However, when a hidden part is necessary, it may be difficult to find an adequate 
axiomatization of because defining a hidden part usually relies on intuition 
and clever choices. 

Whenever neither the white-box approach nor the black-box approach can 
be successfully applied, a grey-box approach which is the result of combining 
them can be used instead. Basically, the grey-box approach consists in using two 
approximate equalities - one derived by using the black-box approach and the 
other derived by the white-box approach - which are not necessarily congru- 
ence relations but, together, are enough to solve the equality problem in oracle 
definitions under certain restrictions. Depending on the contexts where these 
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equalities are used, either the oracle interpretation may imply that the program 
being tested is correct or whenever the program is correct the oracle interpreta- 
tion may also say it is correct. In other words, this means that the oracle may 
either reject correct programs or accept incorrect programs respectively. How- 
ever, despite these restrictions, approximate equalities are more likely to work 
in practice, since giving a decidable definition of a particular congruence rela- 
tion may be either impossible or too complicated and require a great amount of 
effort. The grey-box approach is presented in section]^ However, before going 
into details about this approach, section ^describes more precisely what an ap- 
proximate equality is, how it can be used to define an “approximate oracle” and 
how quantifiers can influence the choice of the appropriate equality. 

4 The Approximate Oracle 

This section presents some important definitions and results which underlie the 
grey box-approach and introduces the definition of an approximate oracle. Ini- 
tially, we define what an approximate equality is. In the sequel, let any i7-algebra 
A be reachable and any « be a total T'-behavioural equality. 

Definition 5 (Approximate equality). Let A be a E -algebra. A binary rela- 
tion —A on A is called an approximate equality. 

It would have been reasonable to request —a to be reflexive in definition 0 
However, this assumption is not necessary to the results presented in this paper. 
In the sequel, — will denote a if-approximate equality. When compared with 
the behavioural equality, an approximate equality may be classified as sound 
if all values that it identifies are indeed equal, or complete if all equal values 
are identified. In general, the white-box approach will produce sound equalities 
while the black-box will produce complete equalities. 

Definition 6 (Sound Equality). Let —a be an approximate equality. Then, 
—A is a sound equality if and only i/ Va, a' ■ a — ^ a' => a o' 

Definition 7 (Complete Equality). Let —a be an approximate equality. 
Then, —a is a complete equality if and only (f Va, a' ■ a a' ^ a —a a' 

Sound or complete equalities can be successfully applied instead of the be- 
havioural equality in specific contexts. These contexts are regarded as equality 
occurrences in a if-formula which might be either positive or negative. 

Definition 8 (Equality occurrences). The set of occurrences of E- equations 
in a first-order E-formula is defined as follows. 

1. Occ\t = t'] = {e} 

def 

2. Occ[-^ip] = {—1 ■ uj \ uj G Occ('0)} 
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3. Occ['0i©'i/'2] = {l-w I uj € Occ('i/'i)}U{2-a; | uj € Occ(il’ 2 )}: where © = {A, V} 
4-- Occ[ijji => V' 2 ] = {—1 ■ OJ \uj & Occ('0i)} U {2 • a; I a; G Occ(V' 2 )} 

def 

5. Occ[lpi '02] = Occ(0i => 02) U Occ(02 0l) 

def 

6. Occ[Qa:0] = {1 • w | w G Occ(0)}, where Q = {V, 3} 

where expresses that the formula is in a negative position. An occurrence in 
Occ[W] is positive if it has an even number of —1, otherwise it is negative. 

Both left and right equality occurrences in can be positive and negative 
depending on which direction of implication we are looking at. 

Definition 9 (Approximate Interpretation). Let A be a E -algebra, T be 
an A-test set, — and ^ be two S -approximate equalities. The approximate in- 
terpretation of a first-order E-formula under a valuation a \ X ^ \A\ is given 
as follows. 



1. 




= Pla -A Pic 




2. 


= 






3. 


[01 ©02la’” 




[V'2la’’"’^, where © = {A,V} 


1 


[01 ^ 02];^’ 




5. 


[01 02la’ 




A [02 ^ 0il-.-.^ 


6. 


[Vx : s • 01;^’ 




Xi-^v] 


7. 


[3a; : s • 0];^’ 




x\-^v\ 



where a[x ^ v] denotes the valuation a superceded at x by v. 

Again, when !?' is a if-sentence, then llZ'la for any valuations 
a and 0. So, we write without the subscript. 

The approximate interpretation is similar to the behavioural interpretation 
from PI which we refer as |]q,. The main differences are that |t = t'}a — [^la 
|T]q, is replaced by ft = = |t]a —a PI a and the roles of — and ^ 

are reversed when interpreting a formula in a negative position. Also, bound 
variables have their domains restricted to T. 

Lemma 1. LetW be a E -formula. The interpretation applies — only to 

positive occurrences of equations and ^ only to negative occurrences of equations. 

Proof. Follows directly from definitions 0 and 0 □ 

Definition 10 (Approximate SP-Oracle). Let <P = {0i, 02, • ■ • j 0n} be the 

set of axioms of a flat specification SP, where each <f>i is a first-order E-sentence, 
let — and ^ be two E -approximate equalities, let A be a E-algebra and let T be 
an A-test set. An approximate oracle O is given as follows. 

0{T) = [01 A ... A 
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The main results of this section are presented by the following theorems. 

Theorem 2. Let ~ be a complete equality, ~ be a sound equality and <L> be a 
E -formula. If<L> contains only positiue occurrences of\f and negative occurrences 
of 3 then ^ 

Proof. Let <L> be normalised to a H-formula W by applying the following laws: 

— ^{P A Q) is equivalent to ~^P V and ~^{P V Q) is equivalent to ^P A 

— P ^ Q is equivalent to ^P V Q 

— -i3x-P{x) is equivalent to \/x-^P{x) and ^Va;-P(a:) is equivalent to 3x-^P{x) 

— ~^^P is equivalent to P 

— P Q is equivalent to (P Q) A (Q P) 

such that for every sub-formula ->'0 of 'P, tp is an equation. Any positive occur- 
rence of an equation tp in remains positive in P and each negative occurrence 
remains negative in P. Also, regarding quantifiers, P has only positive V. The 
proof is conducted by structural induction on P. 

{i)P = t = t'. In this case, \t = t']„ = |t]„ [t'la and ft = = ltjc,~A 

|t']a. As — is complete then {tja |t']c ^ ltja~A [t'la- 
{ii)P = -ntp. In this case, |^0]c = ^|0]c_and By the 

contrapositive law, ^|0]a => iff IV'la- As tp is an 

equation t = t' and ~ is a sound equality then |t]o, |T]a |t]a [tla- 
Hence, [01^’'^’'^ ^ [01a- 

{iii)P = 01 © 02. In this case, |0i © 02l„ = [0ila and 

d©f 

101 © 02]a =_[0ila © [02la, where © = {A, V}. By induction hypothesis, 
[0 i1q ^ and |02]a ^ I02l0’“’^- Thus, because © has the same 

interpretation in both, then |0i © 02 ]a ^ |0i © 02 l 0 ’“’^ 

(iv)P = 01 => 02- This case need not be considered as all occurrences of => in 
<P are replaced by using the conditional law. 

{v)P = tpi tp 2 - This case need not be considered as all occurrences of in 
are replaced by using the biconditional law. 

{vi)P = Va; : s • 0. In this case, |Va; : s • 01~>->^ = AvgtMIZixJJv] and [Va; : 

s-01a = By induction hypothesis, ltpja[x^v] ^ lAlZixjZ] 

and as T C |A| by definitions Q and 0 then |Va; : s • 0]a => |Va; : s ■ 0]q’“’^. 
{vii)P = 3x'.s-tp. This case need not be considered as only negative occur- 
rences of 3 are possible and these are converted by quantifier laws. □ 

TheoremElis a generalisation of the results obtained by Gaudel jOj for positive 
conditional specifications with conditions of observable sorts. There, the only 
negative occurrences of equations are in the conditions and the restriction to 
observable equations is so that the computational equality, which is sound and 
complete, can be used. The black-box equality, which is complete but need not be 
sound, is used in the conclusion, which is a positive occurrence. Finally, the only 
quantifiers in conditional equations are universal quantifiers outermost, that is, 
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in positive position. As in the context investigated by Gaudel, theorem 0 which 
covers a prevalent use of V and 3, implies that incorrect programs can be accepted 
by an approximate oracle. On the other hand, theorem 0 given below which is 
the dual of|3 implies that correct programs can be rejected. 

Theorem 3. Let ~ he a sound equality, ~ he a complete equality and <L> he a 
E -formula. If <d> contains only negative occurrences ofW and positive occurrences 
of 3 then ^ 

If only finitary algebras are considered, no restrictions on quantifiers are 
needed. 

Theorem 4. Let ~ he a complete equality, ~ he a sound equality and <I> he a 
E-formula. If A is a finitary E-algehra then |^]a . 

Proof. Follows the same line of the proof of theorem 2, having that V and 3 has 
the same interpretation in |<?]a and □ 

Theorem 5. Let ~ he a sound equality, ~ he a complete equality and <I> he a 
E-formula. If A is a finitary E-algehra then [^la- 

If T is finite, valid and unbiased, no restrictions on quantifiers are necessary as 
well. Nevertheless, these may be quite strong assumptions, not straightforward 
to be fulfilled in practice. The fact that theorems 13 0, El and 0 do not have 
assumptions on test sets brings out a way of interpreting testing results without 
relying on whether the test set is valid, unbiased, or whatever. These assumptions 
on test sets would mainly replace the assumptions on quantifiers in theorems 0 
and0 but the conclusions of these theorems would remain the same. 

5 The Grey-Box Approach 

This approach is based on combining the white-box and black-box approaches 
in order to define an approximate oracle, where the former may be used to 
produce a sound equality ~ and the second may be used to produce a complete 
equality ~. It can be noticed that equalities defined from a subset of the set of 
all observable contexts is always complete. Thus, the black-box approach can be 
applied to find an axiomatization over the crucial context^ as defined by Bidoit 
and Hennicker |3. The equality induced by these contexts either coincides with 
the observational equality or is a complete approximate equality. 

Sound and complete equalities approximate the behavioural equality from 
opposite extremes (~ Cs:!C ~). Whenever the black-box equality is only com- 
plete, it is reasonable to define a sound equality by using the white-box approach. 
Structural equalities based on the behavioural equality of the values of the con- 
crete representation of a sort s, even though not always complete, are always 
sound w.r.t. a A-algebra A. 

The grey-box approach can be applied with one of the following objectives. 

® f{xi . . . Zs^. . . . x„), with f : Si ... Sk ... Sn —> s £ F, s € Ohs and Sk € S \ Ohs 
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(i) Avoid rejecting correct programs. Based on theorems |2| and 0 this ap- 
proach consists in applying a sound equality in negative occurrences of S- 
equations and a complete equality in positive occurrences. 

(ii) Avoid accepting incorrect programs. Based on theorems 0 and 0 this 
approach consists in applying the complete equality in negative occurrences 
of a if-equations and the sound equality in positive occurrences. 

Depending on the approach used, different conclusions about correctness and 
incorrectness can be achieved. Let |=~ be the behavioural satisfaction relation. 

Theorem 6 (Incorrectness). Let O be an approximate oraele. IfVa ■ \(t>i A 
. . . A 4>n\a \4>i A ... A 4>n\a’~’'^ ! then 0{T) = false implies A <L>. 

Proof. As 0{T) = false, there exists a such that \(j)\ A ... A <^nla does not 

hold. Thus, because by assumption \(f)x A ... A => \4'i A ... A 

\(j)\ A ... A (^„]a does not hold as well. □ 

Theorem El states that whenever testing is not successful in the approach (i) 
we can conclude that the program is incorrect. However, it is easy to check that 
the converse does not hold: if testing is successful we cannot conclude that the 
program is correct. On the other hand, theorem Q states that whenever testing 
is successful in the approach (ii) we can conclude that the program is correct, 
but once again the converse does not hold. 

Theorem 7 (Correctness). Let O be an approximate oracle. If^a ■ \(f>i A ... A 
^ 1^1 A ... A (j^nla, then 0{T) = true implies A |=,^ <P. 

Proof. As 0{T) = true, then Vo : A ^ |A| • \(j>i A ... A holds. Thus, 

because by assumption |^i A . . . A |^i A . . . A 4>n\a, |^f>i A . . . A (/>„]„ 

holds as well. Hence, A\=~ (L. □ 

Approach (i) is the classical one to testing whereas approach (ii) comes up 
with an innovation in the testing theory and practice. If the test succeed in 
approach (i) the program might be incorrect which is expected as an intrinsic 
feature of testing. Also, even if the test does not succeed in approach (ii), the 
program might be correct. Whenever the premises of theorems O or El and of 
their respective duals are satisfied, these approaches can be combined in order 
to achieve a higher degree of confidence in the interpretation given by the oracle. 
For example, if the test fails in approach (i) and (ii), the program is incorrect 
while if it succeeds in approach (i) and (ii), then the program is correct. 

6 Example 

This section presents an example in EML which applies the grey-box approach 
to the unification problem. Unification, which plays a central role in theorem- 
proving, is the process of finding a common instance of two expressions, and if 
such an instance exists, the algorithm produces the most general substitution 



On Oracles for Interpreting Test Results against Algebraic Specifications 513 



which yields it. The specification presented here is inspired by the one given in 
fTT1| . Initially, a specification of expressions is given as follows. An expression can 
be a constant, a variable or a function application to a list of expressions. 

signature Func = sig eqtype function; val arity: function — s- int; ... end 

signature Expression = 

sig 

structure S : Set; 
structure F : Func; 
eqtype constant; 
eqtype variable; 
type expression; 

val const : constant — > expression; 

val var : variable — *■ expression; 

val func : F. function * expression list — > expression; 

val is_valid : expression — > bool; 

axiom (forall c is_valid(const(c))) andalso (forall v is_valid(var(u))) 
axiom forall (/,^) => is_valid(func(/,Z)) = (F.arity(/) = length(^)) 
val vars : expression ^ variable S.set; 
val varsl : expression list ^ variable S.set; 
axiom forall c => vars (const (c)) == S.emptyset 
axiom forall v vars(var(u)) == S. add (u, S.emptyset) 
axiom forall {f ,1) => vars(func(/,Z)) == varsl(?) 
axiom varsl([]) == S.emptyset 

axiom forall (a, a;) =A varsl((a::x)) == S.union(vars(a),varsl(a;)); 
end; 

where length returns the size of a list and Set specifies sets with usual operations. 
Substitution is an operation that replaces specific variables of an expression by 
other expressions. 

signature Substitution = 

sig 

include Expression; 

type substitution; 

val empty : substitution; 

val dom : substitution — s- variable S.set; 

val rng : substitution — > variable S.set; 

val add : variable * expression * substitution ^ substitution; 
axiom (dom(empty) == S.emptyset) andalso (rng(empty) == S.emptyset) 
axiom forall (s,a;,e) 

((S.member(a;,dom(s)) = false) andalso ((e == var(a;)) = false)) implies 
( (dom(add(a;,e,s)) == S.add(a;,dom(s))) andalso 
(rng(add(a;,e,s)) == S.union(vars(e),rng(s))) ) 
val apply : expression * substitution ^ expression; 
val applyl : expression list * substitution ^ expression list; 
axiom forall e apply (e, empty) == e 
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axiom forall (c,s) apply(const(c),s) == const(c) 
axiom forall (x,e,s) => apply(var(a;),add(a;,e,s)) == e 
axiom forall {x,y,e,s) => 

{x{)y) implies (apply(var(j/),add(a;,e,s)) == apply(var(j/),s)) 
axiom forall {f,l,s) => apply (func(/,Z),s) == func(/,applyl(^,s)) 
axiom forall s ^ applyl([],s) == [] 

axiom forall (e,Z,s) applyl((e::Z),s) == apply(e,s)::applyl(Z,s) 
val compose : substitution * substitution ^ substitution; 
axiom forall (s,s',e)=i> apply(e,compose(s,s')) == apply (apply (e,s), s') 
axiom forall s 

(compose(s, empty) == s) andalso (compose(empty,s) == s) 
axiom forall (x,y,z)^ 

compose(compose(a;,?/),z) == compose(a;,compose(y,z)) 
val is_moregeneral : substitution * substitution ^ bool; 
axiom forall (s,s') ^ 

is_moregeneral(s,s') iff (exists r => s' == compose(s,r)) 
val isJdempotent : substitution — > bool; 
axiom forall s => 

is_idempotent(s) iff S.intersect(dom(s),rng(s)) == S.emptyset; 

end; 

The unification specification is given as follows in the Unification signature, 
signature Unification = 

sig 

include Substitution; 

val unify : expression * expression — > substitution; 
axiom forall (e,e') ^ (exists s apply(e,s) == apply(e',s)) implies 
( (apply(e,unify(e,e')) == apply(e',unify(e,e'))) andalso 
(forall s' => apply(e,s') == apply(e',s') 

implies is_moregeneral(unify(e,e'),s')) andalso 
(is_idempotent(unify(e,e'))) ) 

end; 

Let bool and constant be observable sorts. An oracle for the Unification signa- 
ture, and more precisely for the unify function needs to compute equality on 
expression, which is taken, at first instance, as a non-observable sort. The black- 
box approach is not appropriate to directly define an observational equality on 
expression, because its crucial contexts {isvalid{zexp),vars{zexp)) are not de- 
scriptive enough and then hidden functions must be added. Thus, the grey-box 
approach is a better choice. It can be noticed that the unify axiom has only pos- 
itive forall and negative exists. Then, to apply theorem 0 we define a complete 
equality on expressions by using the black-box approach and a sound equality 
by using the white-box approach, and this implies from theorem El that we will 
only be able to detect incorrectness of the implementation. A lifted version of an 
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implementation of the signature Expression is given as follows, where the equal- 
ity on expressions is implemented by eqs which is clearly a structural sound 
equality. 

functor LExpression 

(eqtype Constant eqtype Variable structure set: Set structure f : Func) : 
sig include Expression; 

val eq_s : expression * expression — > bool; 
sharing S = set and F = function and 

type constant = Constant and type variable = Variable end = 

struct 

datatype expression = 

const of constant | var of variable | func of F. function * (expression list) 

fun eq^ (const(c),const(c')) = c = c' | 
eq_s (var(u),var(u')) = v = v' \ 

eq^ (func(/,?),func(/',r)) = (/ = f) andalso eq^l{l,l') 
and eq^l ([],[]) = true | 

eq^l {{e::l),{e'-.d')) = eq^(e,e') andalso \ 

eq^l {1,1') = false 

end; 

For sake of simplicity, isjvalid, vars and varsl are omitted. Obviously, different 
eqs may be defined from other implementations of Expression. The complete 
equality which is defined from the finite set of crucial contexts of expression is 
as follows. 

Ve,e^ • eqc{e,e) = {isjualid{e) = isjvalid{e')) A {vars{e) = vars{e')) 

Finally, the oracle function for the unification algorithm can be as follows. 

fun o_unify {le,ls) = o_forall le (fn e o_forall le (fn e' 
o.exists Is (fn s eq^(apply(e,s),apply(e',s))) implies 
( (eq_c(apply(e,unify(e,e')),apply(e',unify(e,e')))) andalso 
(o-forall Is (fn s' eq^(apply(e,s'),apply(e',s')) implies 
is_moregeneral (unify (e,e'), s'))) andalso 
isJdempotent(unify(e,e')) ) )) 

Now, consider how an oracle for Substitution can be defined. Let substitution 
and expression be non-observable sorts. The crucial contexts on substitution 
are dom{zsubst), rng{zsubst), iszmoregeneral{Zsubst, s) and idempotent{zsubst)- 
However, it is clear that substitutions are equal if they produce the same result 
when applied to all expressions. As expression is a non-observable sort, apply can- 
not be used as a crucial context. Thus, as the set of crucial contexts is not enough 
to construct a sound and complete equality, the grey-box approach seems to be 
the best choice again. Consider the axiom which specifies the is jmore general 
operation. This axiom can be converted to the following by expanding iff. 
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axiom forall (s,s') ^ 

(is_moregeneral(s,s') implies (exists r ^ s' == compose(s,r))) (0) 
andalso 

((exists r ^ s' == compose(s,r)) implies is_moregeneral(s,s')) (p) 

Here we have a positive occurrence of V and a positive and a negative occur- 
rence of 3 and then neither theorem Q nor 0 is applicable for the whole axiom. 
Whenever quantifiers occur as one side of iff predicates these theorems cannot 
be applied in both directions of the biconditional. The direction which does 
not meet the premises of the theorem being considered must be discarded. It 
is easy to check that from the standard interpretation of A and theorem 0 
1<P A pja => Ipja but |(^]„ ^ ^ay not hold, unless ei- 

ther the algebra is finitary (theorem 0) or T is unbiased (due to the positive 
3). Also, when considering theorem |3 dual conclusions can be reached. If (0) 
is added to the Substitution oracle, then correct programs can be rejected and 
incorrect programs can be accepted at the same time. The reason for this is 
that if isjmoregeneral{s, s') happens to be true, then the test set must have a 
witness r in order to avoid rejecting a correct program which requires either a 
finite exhaustive or an unbiased test set. In case isjmoregeneral{s,s') = false 
and a witness r can be found in the test set, then incorrect programs can be 
accepted. Hence, only Vs, s' ■ pis added to the Substitution oracle, implying that 
incorrect programs can be accepted w.r.t. a simplified Substitution specification 
without {(p). This reflects the limitations of testing which is aimed at detecting 
the presence of errors, but often not all of them can be detected. From theorem 
0 a sound equality can be used to compute (s’ == compose (s,r)). 

Finally, suppose expression is an observable sort. Then, the black-box ap- 
proach seems to be a good choice as apply{e, Zsubst) can be added to the set of 
crucial contexts. After applying the black-box approach, a sound and complete 
equality on substitution can be defined as Vs, s' ■ eq{s, s') = (\/e{apply{e, s) = 
apply (e, s'))). However, it is necessary to check whether this equality is a con- 
gruence relation 0. Otherwise, theorem 0 can help interpreting test results as 
it does not require eq to be a congruence relation. 

7 Concluding Remarks 

Having defined an iSP-oracle in section 0 as a boolean function which is con- 
structed from the conjunction of the axioms of SP, the oracle problem in the 
context of algebraic specifications expressed in first-order logic reduces to the 
general problem of finding an equality procedure for non-observable sorts and 
the limitations imposed by quantifiers. This paper introduces an approach to 
tackle this problem, the grey-box approach. In this approach, a sound and a 
complete approximate equality are constructed as close as possible or even equal 
to the behavioural equality and taking the presence of quantifiers into account. 
An approximate equality might be neither an equivalence nor a congruence re- 
lation and no restriction is made on test sets. So, it is not necessary to define 
valid and unbiased test sets nor to check whether both equalities are congruence 
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relations. If approximate equalities are defined in a systematic way, they can be 
guaranteed to be either complete or sound. For instance, it is always possible 
and simple to define complete equalities from a set of crucial contexts (black- 
box) and structural equalities are always sound (white-box). Furthermore, the 
grey-box approach leads to similar levels of confidence when compared to the 
one presented in |^, but it can be applied in a wider context. 

As further work, we aim to define a method for applying the grey-box ap- 
proach, extend this approach for generating oracles to structured specifications, 
and to provide a basis for integration testing. The EML framework 0 seems 
to be an appropriate basis. Also, an investigation of how testing using grey-box 
oracles would work when used together with refinement and proofs as part of a 
conventional formal development process seems to be quite important. 
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System Description 

Diagrams in general, and graphs in particular, are commonplace for researchers 
of science. Up to 70% of the papers presented in every Computer Science con- 
ference use specialised diagrams or graphs for clarification of ideas and also for 
demonstrations. Graph theory is a discipline in itself, constantly growing inside 
Discrete Mathematics. New specialised graph editors are a must for different 
applications. Examples of such applications in computer science are Petri nets. 
Pert diagrams, binary trees, Entity Relationship Diagrams, Class diagrams for 
00-design, State charts, finite automaton, etc. However, diagrams are used not 
only in computer science; they are also used in other broad areas such as elec- 
trical engineering, chemistry and architecture, of which examples are electrical 
circuits, chemical reaction chains, molecular models and pipes. Such diagrams or 
graphs have their own grammar, i.e. their own lexica and their own editing rules. 
A grammar for binary trees is trivial, but the inner structure of the grammar of 
a molecular chain could be rather complicated. 

The objective of the Recopla Meta-Editor is to generate specialised editors 
for the applications mentioned above. At the Meta-level, it provides graphic 
editors for nodes and arcs. Both nodes and Arcs can have an unlimited number 
of typed attributes with or without a default value. Tables are also allowed 
as attributes. Attributes have names and they can be defined to be visible or 
non-visible. In the first case they will appear on the canvas showing its value 
whereas in the latter they will be visible only through the inspector. For visible 
attributes, the font-family, font-colour, size, alignment, padding and background 
can be dynamically defined. Recopla has a number of distinguished attributes, 
like URL and File. Each node/arc can have an associated URL, which is used 
later when generating an HTML of the created diagram. While saving a diagram, 
a gif file will be generated with a picture of the diagram; and also an html file 
will be generated with hyperlinks pointing to the URLs in the nodes and arcs. 
A Java serialised object (a persistent object) of the edited diagram will also be 
saved. I.e. any other Java application can read that serialised object and cast it 
to a Recopla diagram and make proper diagram analysis and refinements. 

* This project was partially supported by the LMF-DI PUG-RIO, FAST e.V. and by 
the Institut fiir Informatik, Ludwig-Maximilians-Universitat Miinchen. 
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A node or an arc could also be be associated with a file, and for each type of 
file (for each extension) a helper application can be defined using the “Preferences 
Browser” . Double clicking on a node or arc will call the associated application 
of the File attribute using the value of this attribute as a parameter. That is, if 
the File value is a Postscript file and the helper for ps extensions is Ghostview, 
then it will be opened with the corresponding Postscript file. 

Arcs can be coloured; different colours for the left and right arrows can be 
specified and so too for the body. Typical arrows have already been predefined 
and are modifiable. The body of an arrow can be defined to be drawn with 
hyphens and the space between hyphens is also adjustable. Nodes can contain 
any graphic element such as circles, rectangles, lines, images and text. Colours 
can also be given for any of these elements. Images in gif or jpg format can 
be bound to any graphic element contained in a node. The shape of arcs can be 
defined to be polygonal or curved using a spline interpolator. 

In addition to nodes and arcs, some other diagram elements can be specified 
for a given editor in Recopla. They are graphic elements which do not belong 
to the grammar of this editor. These elements are text for titles, images for logos, 
and normal graphic elements such as lines, circles and rectangles. 

The grammar of a given editor is specified by edition rules using prolog 
syntax. The edition rules drive the syntax of the editor using an event based 
model. The predicates to be evaluated are the actions to be performed on ob- 
jects on the canvas. Examples of these actions are canInsertNode, canConnect, 
canDeleteNode, canDeleteArc, canDeleteSelectionand canMove. Using these 
actions not only ensures a syntactically correct diagram but also adds control 
to the layout, i.e. by combining the predicates caninsert and canMove one can 
draw non-overlapping graphs. In the case of an editor for electric circuits the 
rule canConnect will ensure a shortcircuit-free diagram. 

At user-level Recopla has been provided with a toolbar with buttons for the 
most common operations such as copy, paste, undo, abstract -for the abstraction 
of a given selection, explode -for the explosion of an abstracted node, a button for 
the inspector -which shows all the hidden and visible attributes and properties 
of the selected object-, a tool-box button -linked to the geometry browser which 
allows the user to change the geometry of the selected node, that is, to change 
its shape, its position, to rotate it, to flip it, to mirror it and to lock it. Recopla 
provides a grid for the background which is resizable via the grid browser and 
could be hidden. The editor can be set to snap objects to the grid. 

Recopla allows editing of hypergraphs, that is, the arcs can not only connect 
nodes-to-nodes but also arcs-to-nodes and arcs-to-arcs. This feature is very useful 
for UML editors. Recopla also allows the edition of hierarchical graphs of which 
the nodes also contain graphs. The user has to select the part of the graph to be 
abstracted and click the correspondent option. A nodes browser will be opened 
showing the nodes available to be selected for the abstraction. By clicking in one 
of them, the selected part of the diagram will be replaced by the selected node 
in the nodes browser. Abstracted nodes can be exploded. By exploding a node 
a new editor will be opened with the contents of that node for further edition. 
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Deleting an abstracted node will delete only the abstraction and not the contents 
of the node. That is, the abstracted node will be replaced by its content. 

Programs can be bound to Recopla generated editors. In this way, graph 
animation can be achieved, as well as pretty printing, routing, minimal paths. 

When generating an editor by giving the nodes, arcs, graphic elements and 
rules, Recopla will automatically generates an html page with the documenta- 
tion of the current editor with hyperlinks to html pages containing descriptions 
of the nodes and arcs included in the editor. 

The architecture of Recopla is done in three layers: the graphical interface - 
where the user can draw a diagram using a drag-and-drop paradigm, the under- 
lying semantics of the graphic editor - given by the edition rules, and finally the 
persistence of the saved diagrams. Recopla diagrams will be saved as serialized 
objects and can then be saved in a repository using a CORBA interface. 

Recopla is written in Java which means it can run under any platform. 
Generated editors can be copied to other machines and other platforms (along 
with all other required files), and will be able to run without having to be 
recompiled, due to the cross-platform nature of Java. 

A new approach for diagram grammars is under development. The idea is 
to add to Recopla the possibility of specifying the grammar of the graph in 
an abstract way using relational grammars (see [BMHZj ). instead of the event 
based model -which is more appropriated for context-free diagrams. This new 
approach is thought to allow the edition of context-dependent diagrams allowing 
the specification on a high level the rules for inserting, deleting, moving etc. 
of nodes and arcs. The grammar should be confluent, but also non confluent 
grammar specifications are supported. 

As an ongoing project, Recopla generated editors are being ported to run 
as signed applets inside web browsers for Intranet applications. It is planned to 
incorporate scaling and zooming capabilities into Recopla. Semantic rules will 
be added in order to generate code direct from diagrams. If the diagram repre- 
sents a finite automata then its equivalent regular expression can be generated. 
If the graph is a class diagram, different semantic rules could be written in order 
to generate java code, C-l— I- code, etc. Multiple windows will be added, with the 
ability to copy and paste among these. 

Recopla generated editors were successfully used for animated petri nets, 
class and time diagrams among others. 
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Abstract. The PEP tool can be considered to be one of the most widely 
distributed Petri net based tools. A continuously increasing functionality 
and an adequate graphical user interface may have been good reasons for 
its acceptance. Currently the tool contains approximately 500,000 lines 
of source code, and supports (to the best of our knowledge) the widest 
variety of input formalisms and verihcation methods of all verification 
tools. We briefly review the most recent developments. 

Ftp-able versions of the tool and PEP related papers are available via 
http://theoretica.informatik.uni-oldenburg.de/~pep. 

Keywords: 3D visualisation, C code generation, Parallel programs, 

PEP, Petri nets, SDL, Simulation, Verification. 



1 New Petri Net Generators 

One of the key features of the PEP tool 0 is that simulation, analysis and 
verification of different input formalisms 

— SDL (Specification Description Language 0) systems, 

— parallel programs written in B(PN)^ 0, 

— parallel finite automata (PFA) |TT|. 

— process algebra terms expressed in the PBC , 

— high-level (HL) Petri nets in the M-nets algebra |2|, and 

— low-level (LL) Petri nets |[P 

are based on Petri net theory. PEP’s existing transformers between different 
formalisms (PFA ^ B(PN)2, B(PN)2 ^ PBC, PBC ^ LL net, B(PN)2 ^ HL 
net, and HL net => LL net) were accomplished with two new compilers. 

An HL Petri net semantics of SDL HDj was implemented. In particular, dy- 
namic creation as well as termination of processes and (also recursive) procedures 
are covered. Its integration in PEP supports almost the same simulation, analysis 
and verification methods as there are available for B(PN)^ programs: 

— An SDL simulation may be triggered by a Petri net simulation. 

— Standard analyses, such as deadlock detection are possible. 

* PEP has been a joint project between the ‘Universitat Hildesheim’, the ‘Carl-von- 
Ossietzky Universitat Oldenburg’ and the ‘Humboldt-Universitat zu Berlin’ which 
has been financed by the DFG (German Research Foundation). 
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— CTL and LTL properties of SDL specifications may be checked. The user 
may, e.g., ask whether there exists an instance of a certain process Sender, 
such that whenever this instance is in state wait while its input queue is 
non-empty, then it may reach a state send while its variable X has value 3: 
EXISTS id IDSET (Sender) : 

AG ^(Sender[id]. state = wait A Sender[id] .noqueue > O) ^ 

(EF(Sender[id]. state = send A Sender[id].X = 3))^ 

Such a formula is transparently tranformed into a Petri net formula, which 
is then checked against the Petri net semantics. A resulting counter example 
may finally be simulated in the SDL editor. 

In order to improve the efficiency and to support hybrid modelling of par- 
allel systems we added a compiler from PFA into M-nets m. A collection of 
finite automata together with a number of variable declarations is compiled in 
a B(PN)^ specific or SDL specific way into an HL Petri net. 

2 New HL Petri Net Editing Facilities 

In addition to the usual net editing facilities, the HL Petri net editor of the PEP 
tool now supports a ‘programming with nets’ approach. 

1. The user may compose nets in parallel, in sequence, or in choice; transitions 
may be substituted by nets; and nets may be synchronised. 

2. Moreover, parameterised macro nets (e.g., variable, channel, or procedure 
nets) may be loaded from libraries and be instantiated (e.g., with the name 
or type of a variable). Likewise, program semantics may be constructed. 

3 New HL Petri Net Simulation Improvements 

The performance of the HL Petri net simulator was increased: 

— More elaborated analyses of the inscriptions as well as different caching 
mechanisms give a speed up. 

— Petri net simulation may now be distributed over a network of computers 
(with possibly different operating systems) . 

4 New 3D Visualisation Component 

Simulation plays a major role within the PEP tool. Based on a Petri net simula- 
tion engine, not only Petri nets but also, e.g., parallel programs can be simulated 
using a dedicated reference scheme unng. 

In particular for non Petri net experts, an interactive 3D visualisation of the 
modelled parallel system (e.g., an elevator) is more appropriate than a Petri net 
simulation. Thus, we included such an additional Java based feature na. 



524 



Bernd Grahlmann 



We have chosen to base this visualisation on VRML (Virtual Reality Mod- 
elling Language). Thus, the user models, e.g., an elevator as a 3D VRML world 
using an arbitrary VRML editor. After this, the PEP tool offers the possibility to 
define certain graphical actions (e.g., that the door of the elevator is closed, the 
elevator moves up one floor, and the door is opened) on top of these worlds, and 
to bind such actions either directly to transition occurrences of the corresponding 
Petri net or to action occurrences of the corresponding parallel program. This is 
done in such an abstract way, that (in general) these bindings are automatically 
updated upon changes of the corresponding program (and thus resulting net). 
The new component may be used in three complementary ways: 

1. A random Petri net simulation which triggers a 3D visualisation may exhibit 
errors (even to non-experts) if, e.g., an elevator moves with an open door. 

2. Test scenarios may be created and checked easily interacting with the 3D vi- 
sualisation (e.g, mouse clicks on elevator buttons may guide the simulation). 

3. Transition sequences resulting from a verification may be used to trigger the 
simulation of a 3D elevator visualising specification errors to non-experts. 

5 New Code Generation 

Jager extended the C code generator for the parallel programming language 
B(PN)^, which uses the parallelism of the operating system, to the handling of 
procedures. POSIX conformity and thus operating system and compiler indepen- 
dency was improved. Thus, PEP now supports generation of executable code. 



6 New Verification Facilities 

PEP‘s verification component (a partial order based model checker mm , an 
interface to the BDD based CTL model checker SMV (712;-^ . and an interface to 
the structural analysis component of INA [^) was extended and improved: 

— We speeded up (by a factor of up to more than 100) the program verifica- 
tion with the SMV verifier using information provided by the different net 
generators. Compared with the original approach, we are, e.g., able to re- 
place different variables which correspond to control flow points by one single 
variable using invariant information calculated in almost zero time [ig. 

— INA was extended by a CTL model checker which performs state graph 
analysis supporting reductions based on stubborn sets and symmetries. 

— Spin m was integrated H2| including editing facilities for LTL formulae 
and a graphical interface to the options of the LTL model checker which is 
almost identical to the XSPIN interface. Based on an automatic translation 
of Petri nets into PRO MELA, the user may now use the SPIN verifier in a 
transparent way for the verification of all kinds of input formalisms of PEP. 
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— We integrated more algorithms based on linear programming: 

• a deadlock checker using net unfoldings m and 

• an extended reachability analyser which inputs the LL net m- 

— Moreover, we implemented a compiler from Petri nets into networks of com- 
municating automata in the FC2 format. Based on this translation we are 
integrating parts of the FC2tool set |^. As a first step we provided deadlock 
detection based on BDD/implicit representations of states. 

7 Conclusion 

We briefly presented some of the new features of the PEP tool. For a more 

detailed overview we refer to US) and the various papers which are available 

together with the tool at http://theoretica.informatik.uni-oldenburg.de/~pep. 

Acknowledgement: A lot of people (theoreticians and implementors) con- 
tributed to the development of the PEP system. Thanks! 
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Abstract. We show the main features of the Abaco system, a seman- 
tic directed compiler generator, that produces object-oriented compilers 
from action semantics descriptions of programming languages. 



1 Introduction 

Action semantics ^ is a useful formalism to describe the semantics of program- 
ming languages. Its modular structure and formal notation, based on terms of the 
English language, eases the writing of real programming languages’ descriptions. 
Some examples of real programming languages described in action semantics are: 
PASCAL 0 and STANDARD ML 0. 

Action semantics formal notation is based on an algebraic specification model 
known as unified algebras 0. This model defines entities called sorts and opera- 
tions that manipulate them. 

An action semantic description for a programming language is divided in the 
following modules: 

— Abstract Syntax: describes the abstract syntax for the programming lan- 
guage. 

— Semantic Functions: describes a mapping from the abstract syntax tree 
(AST) of a program to its meaning. The meaning of a program uses ac- 
tion notation, the formal notation used in action semantics, to describe the 
program’s semantics. 

— Semantic Entities: defines the data types used by the language, and auxiliary 
sorts and operators used in the description. 

2 The Abaco System 

We built an automatic compiler generation tool named Abaco (Algebraic Based 
Action compiler). The system combines object-orientation and action seman- 
tics to produce implementations of programming languages from their action 
semantic descriptions. The system is composed by the following tools: 

— A generic unified algebras translator, this tool accepts unified algebras speci- 
fications and produces an object-oriented library that implements the given 
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specification. The choice of object-oriented languages as target language is 
based on the similarities between the existing concepts in both models, for 
example the concepts of sort inclusion (in unified algebras) and class inher- 
itance (in object-orientation). 

— A parser generator, this tool accepts an action semantic description of a 
programming language and builds a description that can be used with parsers 
generators like Lex and Yacc to produce the parser for the specified language. 

— An action compiler, generates a C-| — h code which implements an action that 
represents the meaning of a program in the described language (program 
action) . 

The process of building a compiler for a described programming language 
has the following steps, showed graphicaly in Figure 01 

1. The definition of the abstract syntax of the programming language is pro- 
cessed by the parser generator that will generate the parser. The generated 
parser recognizes the source programs and produces their abstract syntax 
trees (AST). 

2. The programming language description is processed by the unified algebras 
translator that will produce a library, named dynamic library, that will be 
able to give the meaning of a program, represented as an AST and produced 
by the parser, according the action semantics description language’s. 

3. The programs writen in the specified language will need a library that defines 
the data types used by the language to be correctly compiled. This library, 
named static library, is obtained processing the semantics entities of the 
programming language description with the unified algebras translator. 

4. The dynamic library is linked with the action compiler to produce the code 
generator for the specified language. This program is able to produce C-|— I- 
programs from AST produced by the parser generated in step 1. The C-|— I- 
programs generated by the code generator can be compiled using a generic 
C-l— I- compiler. 

The generated compiler is formed by the parser, the code generator, the static 
library and a generic C-l — h compiler. Its architeture and compilation process is 
showed in Figure El 

3 Conclusions 

The Abaco system is useful to prototype semantic descriptions of programming 
languages. His main characteristics is to produce a dynamic implementation for 
the datatypes of the described language. It enables the generated compiler to 
represent more accurately the peculiarities of the specified programming lan- 
guage. 

A prototipe of this system was implemented using the C-l— I- language and was 
tested using the GNU C-l— I- compiler (GCC) in the Solaris operating system but 
it could work in every system supporting the C-l — I- language. The source code of 
this implementation can be obtained at the Recife Action Tools home page 0). 
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Abstract. Reactive systems are a very important class of systems for 
engineering organisations. The role of software is now dominant and its share 
of system construction costs is ever increasing. However, in spite of much 
research devoted to reactive systems development, proper engineering 
languages, methods and tools, as construed by the conventional engineering 
community, are not available to support the technology. We examine the state 
of play and suggest a way ahead for putting into place appropriate technology 
for industry. 



1 Introduction 

There is a growing interest in providing methods and tools to support the 
development of (real-time) reactive systems. Reactive systems are a very important 
class of systems for engineering organisations. The role of software is now dominant 
and its share of system construction costs is ever increasing. However, in spite of 
much research devoted to reactive system development, proper engineering 
languages, methods and tools are not available to support the technology ([18]). 

According to [16], the day to day activities of engineers consist of normal design, 
as comprising “the improvement of the accepted tradition or its application under 
‘new or more stringent conditions’”. He goes on to say: “The engineer engaged in 
such design knows at the outset how the device in question works, what are its 
customary features, and that, if properly designed along such lines, it has good 
likelihood of accomplishing the desired task.” 

[12] discusses this concept of ‘normal design’, although he does not use this phrase 
himself. “An engineering handbook is not a compendium of fundamental principles; 
but it does contain a corpus of rules and procedures by which it has been found that 
these principles can be most easily and effectively applied to the particular design 
tasks established in the field. The outline design is already given, determined by the 
established needs and products.” ... “The methods of value are micro-methods. 



A.M. Haeberer (Ed.): AMAST'98, LNCS 1548, pp. 17-22, 1998. 
© Springer-Verlag Berlin Heidelberg 1998 



18 



Thomas S.E. Maibaum, Pauline Kan, and Kevin Lano 



closely tailored to the tasks of developing particular well-understood parts of 
particular well-understood products.” 

An implied but not explicitly stated view of engineering design is that engineers 
normally design devices as opposed to systems. A device, in this sense, is an entity 
whose design principles are well defined, well structured and subject to normal 
design principles. A system, in this sense, is an entity that lacks some important 
characteristics making normal design possible. “Systems are assemblies of devices 
brought together for a collective purpose.” Examples of the former given by [16] are 
airplanes, electric generators, turret lathes; examples of the latter are airlines, electric- 
power systems and automobile factories. The software engineering equivalent of 
devices may include compilers, relational databases, PABXs, etc. Software 
engineering examples of systems may include air traffic control systems, internet 
banking systems, .... 

It would appear that systems become devices when their design attains the status of 
being normal, i.e., the level of creativity required in their design becomes one of 
systematic choice, based on well defined analysis, in the context of standard 
definitions and criteria developed and agreed by the relevant engineers. The 
implications of this conception of design are clear: the design methods of engineers 
are specific and heavily sytematised. The implication is that the design environment 
and supported methods are highly specific and heavily domain dependent. (An 
obvious conclusion may be that environments designed to be very general in their 
application are likely to be less than effective in any particular domain, not being able 
to deal directly with the concepts, notations and methods of that domain.) 

The software engineering equivalent of such “normal methods” for the design of 
devices are best exemplified by systems such as PLANWARE [19] which 
automatically generates a scheduling program from two inputs by a user: a 
classification of the kind of problem being solved (amongst four classes organised in 
a simple hierarchy) and a spreadsheet which is used to record attributes of the specific 
problem. A lot of theory and past system development experience has gone into the 
construction of this automated tool, which may be said to resemble a wizard as seen 
in many modern applications. PLANWARE addresses a class of problems for which 
the required engineering design knowledge can be encapsulated in a one step 
interaction. Reactive systems as a class are not so simple and require more 
sophisticated multi-step design methods. Nevertheless, guided by the concept of 
normal design, we want to look at reactive systems and apply the same principles of 
design by classification. 



2 Design by Classification 

In PLANWARE, what is actually being classified is the kind of scheduling problem 
being addressed. This then derives choices amongst potential algorithms to be used 
and data structure implementations to be generated. These may obviously be regarded 
as choices amongst particular patterns (algorithmic or data oriented, see [13]) that 
may be relevant to the class of problems. Reactive systems are not algorithms, as 
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such, so what is the equivalent concept of pattern to be applied to classifying reactive 
systems? The concept of software architecture ([11, 17]) provides an appropriate 
starting point. 

Loosely, a software architecture is a definition of the structure of a software 
system in terms of (functional) components and so-called connectors. The latter are 
themselves software components, but ones which are meant to standardise the form of 
interaction between the components being connected. The ‘pipes and filters’ based 
scripting facilities of some operating systems may be seen as primitive examples of 
these sorts of structuring ideas. The problem frame proposals of [17] may also be 
seen in this light, at least as far as defining structure for requirements are concerned. 

In order to achieve normality for reactive system design, we must provide 
systematised choice, based on well-defined analysis, in the context of standard 
definitions and criteria developed and agreed by the relevant engineers. If we are to 
use software architecture to systematise choice, then we must find the right 
architectures for conceivable classes of reactive systems and then organise them in 
some way, presumably using some notion of hierarchy. These concepts have been 
explored in the setting of a formalisation of object oriented concepts using theories in 
temporal or modal logic and universal constructions of category theory for structuring 
systems from components ([20]). By using such an approach based on object oriented 
concepts, we can use notions such as inheritance as relations underpinning a concept 
of architectural hierarchy. 

We are not going to attempt to organise the whole subject area of reactive systems 
in this manner, but we cm try the approach within more tightly constrained domains, 
eventually learning through this process how to organise larger parts of the area. The 
domains about which we have specific knowledge and which would appear to 
conform to our objectives include the design of PABXs and of process control 
systems. Below we describe our experience in this domain, highlighting the concepts 
of systematised choice, well-defined analysis, and standard definitions and criteria. 



3 Process Control Applications 

The B language [1, 2] is used for formal specification and design of reactive systems, 
in particular safety critical systems. It is based on first order predicate logic and set 
theory. Its operations are defined using an extension, GSL, of Dijkstra's guarded 
command language. It is a modular language; the modules encapsulate states and 
operations on these states, and similar in style to that of the language Ada. Procedural 
Control Theory (PCT) [3, 4] is used to synthesise algorithms for control devices at a 
high level (abstract designing of behavioural specifications), termed Procedural 
Controllers. It is built upon standard control engineering methods, and introduces the 
concept of ordered actions in response to system events. It provides a systematic 
means of transforming the control logic of a system to finite state machines (FSM), 
requiring no timed or parameterised transitions. As these FSMs are mathematically 
guaranteed to model processing behaviour required to meet system specifications, it 
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can be used as a provably correct specification in B. Several case studies that have 
been developed using the techniques will be described and used as examples. 

A set of detailed guidelines has been formed to specify in B controllers for reactive 
systems. Six steps have been identified [5, 6], these being: 

1 Finite State Machines are produced for each component in the model, 
representing individual component behaviour. Two types of transitions exist: 
controllable transitions, which are output control signals from the controller 
to the component, and uncontrollable transitions, which are component input 
events sent to the controller. 

2 Formalisation of Properties Three types of properties need to be 
formalised: Required Reactions to Events: are actions required in response to 
all possibly occurring system events; Safety Properties: are conditions and 
actions required for the prevention of hazardous situations; Temporal 
Properties: are representations of liveness and timing requirements. The 
language of Object Calculus [7] can be used for this representation. 

3 Data and Control Flow Diagrams (DCFDs) show the communication 
between controllers and system hardware (as signals from sensor devices to 
the controller). The controller reacts to the input signals by sending 
appropriate commands to actuators (such as valves and pumps). The 
decomposition structure of the controllers is clearly discernible in the 
DCFDs. There are two types of signals: from sensors to controllers and 
controller commands to the actuators and successor controllers. 

4 Specification of Controllers in B Each system event that can occur must 
have a corresponding operation, describing required actions to be taken. A 
controller is an ‘overseer’ in the system. It is possible to have a controller 
governing each mode of system operation, or each system component. 

5 Implementation of Controllers in B No ordering of actions is required at 
the specification level (step 4). The concern is with the set of actions needed. 
Ordering of actions is introduced during the implementation stage only. 

6 Specification and Implementation of ‘Outer Controller’ Component The 
Outer Controller module interfaces the controlling software with the external 
world. Detection of input events from system components is by, for example, 
polling or buffered event transmission techniques. 

The specification of the controlling algorithm can be modularised and decomposed 
into conceptually coherent and verifiable sub-components. Three ways of 
decomposing the controlling algorithm have been identified. Horizontal 
Decomposition of Controllers: is based on a physical decomposition of the actual 
system. Events from the external world are copied to two separate sub-control 
algorithms, say, SI and S2. Both SI and S2 will compute their reactions 
independently of each other. However, this is (i) only feasible where SI and S2 
require the use and control of disjoint sets of actuators; (ii) only practical where few 
sensors are shared; (iii) responses cannot be time-critical, relative to each other. 

Vertical Decomposition of Controllers: is also known as hierarchical 
decomposition. Events e are handled by the main controller S, which is responsible 
for certain interactions between components, for example, to maintain system safety 
invariants. The events e are then forwarded to subordinate controllers Sl....Sn, which 




Systematising Reactive System Design 



21 



are responsible for the management of individual subcomponent behaviour. This 
structure is appropriate in systems where control can be separated and managed at 
both an aggregate and individual component level, such as in the Chain of 
Responsibility design pattern, where the responsibility for various control aspects of a 
system can be delegated to different levels. Again this is usually based upon a 
physical decomposition of the actual system. 

Decomposition by Control Mode', splits the system in terms of modes of operation, 
or phases. A separate controller is specified for each mode, which will handle the 
responses for each event occurrence in that mode [8]. 

The detection of faults by the controlling software can be either inherent in the 
control algorithm, or delegated to different levels of control (Chain of Responsibility 
pattern). In the flexible production cell, a schedule is created for each blank arriving 
into the system, giving arrival times and duration at each system location. Schedules 
can then be derived for each crane, processing unit and deposit belt. The combined 
schedules form a system timetable, and can be used to detect component failures, by 
comparing the actual and scheduled progress of each component. Should a difference 
occur, fault tolerant software can then be initiated. A similar usage is made in train 
signaling systems. The design pattern of Chain of Responsibility has also been 
applied to the Steam Boiler example [14] and the flexible cell example, amongst 
others. It appears that variations of it, which can be organised hierarchically as 
software architectures, have universal applicability in this process control domain. 
Detection of invalid data transmission is applied by the outermost controlling level, 
separate from the detection of component failures (applied by the topmost controlling 
software). The calculations of responses by individual components are then 
performed by a lower level controller. 



Conclusions 

As we learn more about process control applications, we find that a domain specific 
set of software architectures and control algorithms and a set of design heuristics 
serve to systematise software design. We believe that this can be taken to the point 
that a ‘design wizard’ can be built which would assist conventional control engineers 
in the construction of highly reliable software based process control systems without 
the need for intervention by engineers skilled in esoteric skills like model checking or 
interactive proof. We further believe that this is the way forward in other domains of 
reactive systems. 
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Abstract. Feature interaction is a severe practical problem in the de- 
sign and maintenance of telecommunication software. The Distributed 
Feature Composition (DFC) virtual architecture provides a new formal 
foundation for large-scale, modular description of telecommunication fea- 
tures. It also provides a semantic structure within which feature interac- 
tions can be diagnosed, and undesirable ones can be prevented or cured. 
This approach is illustrated by a systematic treatment of the interac- 
tions among the class of “call coverage” features. Language semantics 
and analysis techniques link this domain-specihc reasoning to formal ver- 
ification of system properties. 



Keywords: telecommunications, feature interaction, formal methods, modularity, soft- 
ware architecture, analysis, verification. 



1 A Challenge to Formal Methods: The 

Feature-Interaction Problem in Telecommunications 

Many descriptions of systems are organized into modules called features. More 
specifically, the system description is a composition of a base description and 
some feature descriptions. What distinguishes features from other types of mod- 
ule is that each feature is optional — usually any subset of a valid feature set is 
also a valid feature set. Feature modularity is popular, particularly for informal 
descriptions, because it makes system descriptions easier to understand, modify, 
and extend. 

Features can modify or influence each other in describing the overall system 
behavior. Although the mechanisms through which features interact depend on 
the language for specifying features and the rule for composing them, feature 
interactions must be possible in any useful description technique, because many 
feature interactions are necessary or desirable. 

Feature-interaction problems arise when the result of composing acceptable 
feature specifications is unacceptable in some way. Depending on language or 
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composition semantics and engineering choices, a composition might be consid- 
ered unacceptable because it is inconsistent, incomplete, not associative, nonde- 
terministic, unimplementable, or incorrect with respect to some global constraint 
on system behavior. 

Feature-interactions problems are particularly severe in the domain of telecom- 
munications. Among other reasons, telecommunication systems grow over time 
to have hundreds or even thousands of features. Desirable feature interactions 
are common (many features are explicit exceptions to other features), so it is 
not surprising that undesirable feature interactions are also common. Many new 
features are technology-driven, which causes problems because new technologies 
tend to undermine assumptions and invariants upon which older features de- 
pend. The scope and severity of these problems are amply illustrated by the 
proceedings of three workshops on the subject nrm . 

Despite much research activity on the problem of feature interaction in 
telecommunications, there is little sense of progress |E|. The fundamental dif- 
ficulty is that existing formal description techniques are insufficiently modular. 
It is too likely that introducing a new feature to a system description will intro- 
duce undesirable feature interactions, thus demanding changes to previous fea- 
tures (this is referred to as “non-monotonicity” by Velthuijsen) . To manage the 
complexity of telecommunications successfully, a formal description technique 
must make it easy to describe features that are independent or that interact 
with others only in desirable ways. At the same time, there must be no loss of 
generality. 

2 Foundation: The Distributed Feature Composition 
Virtual Architecture 

Distributed Feature Composition (DFC) is a new architecture for the description 
of telecommunication services, developed by Michael Jackson and myself (full 
details and feature examples can be found elsewhere 0). It was designed to 
capture the full range of behavior of these systems while abstracting away from 
most of the implementation detail. It was also designed for feature modularity. 
As it achieves these goals to a significant degree, it provides a good foundation 
for new work on feature interaction. 

In the pipe-and- filter architectural style |Z], a filter is an independently sched- 
uled process and a pipe is a buffered communication channel following a uniform 
protocol. Filters have no communication with other filters except through pipes, 
and a filter does not know what is on the other ends of its pipes (the configura- 
tion of pipes and filters is usually assumed to be static). The advantage of this 
architectural style is that it is modular with respect to filters. 

DFC can be thought of as an adaptation of the pipe-and-filter style to the 
telecommunication domain, with featureless, internal, two-party voice calls as 
pipes and with feature boxes as filters. Assemblies of pipes and filters, known as 
usages, are created dynamically (through a routing procedure) in response to 
external service requests. Since the goal is feature modularity, and some features 
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are realized by more than one feature box, different boxes implementing the 
same feature are allowed to share state. 

3 A DFC-Based Method for Preventing 
Feature-Interaction Problems 

A method for preventing feature-interaction problems in DFC-based descriptions 
has the following steps: 

1. Engineers write initial feature descriptions, thinking of the features (as usual) 
in isolation. 

2. An algorithm checks that constraints on descriptions of individual features 
are satisfied (backtrack if the check fails). The constraints are intended to 
impose predictability without actually limiting the features that can be de- 
scribed. In particular, they enable us to design algorithms for detecting pos- 
sible feature interactions. 

3. An analysis algorithm generates a list of possible interactions among the 
features. Some of these interactions will be desirable, and some will not. 
Both kinds are difficult for people to predice unaided. 

4. Engineers decide on the desired behavior, encode it in the feature descrip- 
tions, and repeat the method from Step 3 onward until the only remaining 
feature interactions are desirable ones. 

Although these steps are not defined in terms of aspects of DEC, the use of 
DEC is important for the success of this method, for several reasons: 

— Its generality ensures that all desired features can be specified. 

— Its abstraction and structural constraints make it possible to detect a broad 
range of feature interactions algorithmically from descriptions of individ- 
ual features. Where abstraction and structure are lacking, the only feature 
interactions that can be detected automatically are violations of explicitly 
stated external correctness properties. These properties must be formulated 
manually, and the task of doing so has proven to be extremely difficult 0. 

— Its modularity means that the desired behavior can usually be achieved just 
by describing individual features wisely. It is seldom necessary to increase 
description complexity or compromise feature modularity by “programming” 
deliberate cooperation among features. 

4 Details of the Method for Call-Coverage Features 

The class of call-coverage features has a technical definition within the DEC 
architecture. The class gets its name because the usual purpose of a call-coverage 
feature is to cover for a callee who cannot or will not answer an incoming call. 
Some of the best-known features, such as Unconditional Call Forwarding, Call 
Forwarding on Busy, Call Forwarding on No Answer, Call Screening, and Return 
Call, are call-coverage features. 
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Some constraints imposed by the method on feature descriptions ensure that 
a feature box is transparent (unobservable by other boxes in the usage) except 
when the specific function of the feature is involved. Other constraints ensure 
that a feature box notifies its environment about some of its internal activities, 
such as use of voice channels. This information is necessary for other feature 
boxes to coordinate their efforts. 

Many different types of interaction are detectable. For example, a feature can 
cancel another under certain circumstances, or take priority over it in responding 
to a particular condition. One feature can delay another, suspend another, or 
cause it to receive status signals from another person’s telephone as if they came 
from the feature’s subscriber’s telephone. Features contend with each other for 
use of a voice path to communicate with a user by means of announcements and 
touch-tones. 

Despite this variety, most of the time the desired interaction behavior can 
be achieved simply by adjusting the feature precedences, which determine the 
order in which feature boxes appear in a usage. 



5 Application of the Method to a Useful Set of 
Call-Coverage Features 

Consider a telephone with Caller Identification and rich capabilities for confer- 
encing and time-multiplexing individual calls. With such an interface, a user 
could easily manipulate multiple incoming, unanswered calls. 

Added to this powerful interface, four call-coverage features would provide 
the user with a great deal of convenience and flexibility: 

OM With Outbound Messaging, a callee can leave a message to be played if 
a particular person calls. Alternatively, the callee can request that a yet- 
unaswered caller hear a prerecorded message such as, “I will be able to 
answer you very shortly, please stay on the line.” 

IM Inbound Messaging gives the caller the ability to leave a voice message for 
the callee. 

SCF With Selective Call Forwarding, the callee can specify ahead of time that 
calls from a particular person should be forwarded to another destination. 
Alternatively, the callee can forward a current incoming call instead of an- 
swering it. 

BUCP Blocking with Urgent Calling Privilege enables the callee to block all 
incoming calls or, alternatively, to receive only urgent calls from a particular 
set of privileged callers. 

These features are not simple, and their set of possible interactions is large — 
large enough to contain surprises for even the most experienced feature designer. 
The method is applicable, however, and the best possible interaction behavior 
can be specified without any loss of feature modularity. 
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6 Issues of Language, Analysis, and Verification 

The reasoning outlined in Section 4 is domain-specific. It is easily justified, be- 
cause the possibility of an interaction can be established convincingly by an 
example. The necessary analysis is defined on feature descriptions written in 
Promela and Z, as explained elsewhere 0. 

One obvious flaw in this treatment is that there is no guarantee against 
further, undetected feature interactions. It would be valuable to be able to verify 
general global properties of feature sets. These global properties could include 
non-interference properties and rules of telephone etiquette. 

General-purpose verification of DFC descriptions is likely to be challenging 
because of the wide-spectrum nature of the descriptions, not to mention the 
inherent behavioral complexity of telecommunication systems. This goal may 
be best reached by describing feature sets using one or more different formal 
notations, for example algebraic specifications of stream processing I2EI. 
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Abstract. Generalized Verification Diagrams combine deductive and 
algorithmic verification to establish general temporal properties of finite- 
and infinite-state reactive systems. The diagram serves as an abstraction 
of the system. This abstraction is deductively justihed and algorithmi- 
cally model checked. We present a new simple class of verihcation dia- 
grams, using Muller acceptance conditions, and show how they can be 
used to verify general temporal properties of reactive systems. 



1 Introduction 

Reactive systems maintain an ongoing interaction with their environment, and 
include discrete, real-time and hybrid systems. Deductive verification is based on 
verification rules, which reduce the system validity of a temporal property to the 
general validity of first-order verification conditions. This methodology is com- 
plete relative to the underlying first-order reasoning, and allows the verification 
of a wide range of infinite-state systems. However, the proofs can be difficult to 
construct and understand, particularly as the complexity of the system increases. 

Verification Diagrams provide a graphical representation of a deductive proof, 
summarizing the necessary verification conditions, and are therefore easier to 
construct and understand. Generalized Verification Diagrams extend them to 
be applicable to arbitrary temporal properties, replacing the well-formedness 
check on the diagram by a finite-state model checking step. 

Diagrams can also be seen as an abstraction of the system, where properties 
of the diagram are guaranteed to hold for the system as well. The diagram 
represents the aspects of the system relevant to the property to be proved, and 
serves as an intermediary between the system and the property. To prove that 
a system S satisfies (/?, we can find a diagram W such that 

/:(5) C C{^) C £(<p) , 
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where C{S) is the set of computations of S, C{<F) is the set of computations of 
the diagram, and C{ip) is the set of models of ip. 

The inclusion C{S) C £('?') is proved deductively, by establishing verification 
conditions, and is equivalent to proving the correctness of an abstraction of S. 
On the other hand, £('£) C C{(p) can be proved algorithmically, viewing the 
diagram as a finite w-automaton. As w-automata, diagrams can capture a class 
of properties that is strictly more general than those expressible in linear-time 
temporal logic. 

Verification diagrams are thus a way of combining model checking and deduc- 
tive verification. As abstractions, diagrams can be re-used in proofs of different 
properties, and provide visual documentation of the behaviors of the system. 

In this paper we present a new, simple version of Generalized Verification 
Diagrams, based on Muller acceptance conditions. The Streett acceptance con- 
ditions of [HMS95] are equally expressive and more concise, but the new presen- 
tation allows a simpler, alternative definition. We show how these diagrams can 
be viewed as system abstractions, and used to verify general temporal properties 
of reactive systems. 

Outline: Section |3 presents the basic background material. Section 0 presents 
the new class of Generalized Verification Diagrams. We discuss some practical 
issues in Section 0 and present related work in Section 0 In Section 0 we con- 
clude by briefly describing our implementation of these methods in the Stanford 
Temporal Trover, STeP. 

2 Background 

2.1 Specifying Systems and Properties 

We represent reactive systems as fair transition systems !MT^ . A fair transition 
system {S, 0, T) is given by a set of states S, an initial condition 0, which is a 
subset of E, and a set of transitions T , each of which is a binary relation over 
S, describing how the system can move from one state to the next. 

In our framework, we assume an assertion language based on first-order logic. 
The set S of possible system states is defined by a finite set of system variables 
V; each transition r is described by its transition relation Pt{V,V'), an assertion 
over the system variables V and a set of primed variables V' indicating their 
next-state values. Similarly, 0 can be expressed as an assertion over the system 
variables. We assume that T includes an idling transition, whose transition re- 
lation is V = V'. We use the standard triple notation for verification conditions, 

{p) T {if) {ip{V) A pr{V, V')) ^ V'(V') . 

A run of S is an infinite sequence of states sq, si, . . ., where sq satisfies 0 
and for every Si there is a transition t such that (si, Si+i) satisfy pr- In this 
case we say that r is taken at Si . The enabled predicate characterizes the set of 
states at which a transition r can be taken: 

enabled{T) ‘^= 3V' .pr{V,V') . 
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local X, y : integer where a; = 0 A y = Q 

loop forever do 

mo: while a: > 0 do 

[mi: X := X — 

m2’. X y 

-PI- -P2- 



loop forever do 
fo: awaitc a; = 0 
fi: y ’.= y + l 



Fig. 1. Program LOOPS 



Transitions can be marked as just or compassionate. Just (or weakly fair) 
transitions cannot be continuously enabled without ever being taken. Compas- 
sionate (or strongly fair) transitions cannot be enabled infinitely often without 
being taken. Every compassionate transition is also just. A computation is a run 
that satisfies these fairness requirements. 

Properties of systems are expressed as formulas in linear-time temporal logic 
(LTL). Assertions, or state-formulas, are first-order formulas with no tempo- 
ral operators, and can include quantifiers. Temporal formulas are constructed 
from assertions, boolean connectives, and the usual future (□, 0> ^ j W ) 

and past (□,<$>,©, B , S) temporal operators |IVI PH5j . A model of a tempo- 
ral property ip is an infinite sequence of states si, S 2 > ■ • ■ that satisfies ip. For a 
system S, we say that p is S -valid if all the computations of S are models of p. 

Example 1. Figure Q shows program LOOPS, written in the Simple Program- 
ming Language (SPL) of |M Pf)Fil |. SPL programs can be naturally translated 
into corresponding fair transition systems, following the semantics of each of 
the SPL constructs. To each process corresponds a control variable. For LOOPS, 
the control variables for processes PI and P2 range over locations {^Oi^i} and 
{too, TOi, TO 2 }. The assertions rrii and ij are used to indicate the control location 
for each process, so the initial condition is: 

0 : io A Too Ax = 0Ay = 0 . 

The awaitc transition is assumed to be a compassionate variant of the just 
await statement from |1V1P95| . That is, if control resides at £q and a: = 0 infinitely 
often, then the transition must eventually be taken. All other transitions are 
assumed to be just. Program LOOPS is an infinite-state system, since the variables 
X and y can grow beyond any bound. We will show that 

p:D(g>0^OO(g>M)) 

is valid over this program, for any M > 1. That is, if y > 0 then eventually y 
will always be greater than the arbitrary constant M . □ 

We distinguish between safety and progress properties |MP95| . Intuitively, 
a safety property means that a particular class of “bad states” will never be 
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reached. For example, invariance formulas, of the form \ff\p for an assertion 
p, and wait- for formulas, of the form □(p — *■ q\W ... W qn), express safety 
properties. Progress properties, on the other hand, state that certain states will 
eventually be reached. While safety properties do not depend on the fairness 
constraints of the system, progress properties do require fairness. 

A binary relation is well-founded over a domain T> if there are no infinite 
sequences of elements ei, 62 , ... in I? such that ei €2 y ■■ ■ We write x y y iS 
X y y or X = y. A ranking function i5 is a mapping from system states into a 
well-founded domain (T>,y). 

2.2 Deductive Verification 

Verification rules reduce the validity of a given temporal property over a given 
system S to the general validity of a set of first-order verification conditions. 
For example, the general invariance rule, which proves a property of the form 
Qp for an assertion p, requires finding an assertion p such that the following 
verification conditions are valid: (1) p — > p (that is, p strengthens p), (2) 0 ^ p 
(that is, p holds initially), and (3) {p} r {p} for each transition t G T (that is, p 
is preserved by all transitions) . Other verification rules are available for proving 
different classes of temporal properties |MP95j . 

3 Temporal Verification Diagrams 

Verification diagrams were introduced by Manna and Pnueli |lViP94| as a graphi- 
cal representation of the verification conditions needed for a deductive proof. As 
with verification rules, different classes of diagrams are used to prove different 
classes of temporal properties. 

Verification diagrams are generalized in |ijlViS95| to be applicable to arbitrary 
temporal properties, and shown to be a complete proof method for general (state- 
quantified) temporal formulas, relative to the reasoning required to establish 
verification conditions. The Generalized Verification Diagrams we describe below 
differ in presentation from those in jEHSnnilEHSSEI, but the underlying notions 
remain the same. 

A Generalized Verification Diagram (GVD) for a system 5 is a directed graph 
whose nodes are labeled by assertions, where a subset of the nodes is marked as 
initial. The assertion labeling a node n is indicated by /i(n). For a set of nodes 
S : {ni, . . . , rife}, we define 

p{S) V ... V p(ufc) , 

where p({}) = false. For a node n, the set of successor nodes of n is succ{n). 

A run of a diagram is a sequence tr : sq, si, . . . of states of S such that there 
is an associated path tt : no,ni, . . . through the diagram, where no is an initial 
node and for each i > 0, the state Si satisfies pfui). 

We use an acceptance condition to define the limit behavior of the diagram. 
The theory of automata on infinite words (w-automata) provides several types of 



32 



Zohar Manna et al. 



acceptance conditions . For simplicity, here we choose Muller acceptance 

conditions. These are equally expressive as the more concise Streett acceptance 
conditions used in mm, but allow a more intuitive presentation. 

For an infinite path tt through a GVD, let m/(7r) be the set of nodes that 
appear infinitely often in tt. A Muller acceptance condition .A is a set of sets of 
nodes. A path tt is accepting if inf^n) € J- . Note that an infinite path must 
eventually remain in a strongly connected subgraph (SCS), so an acceptance 
condition can always be expressed as a set of diagram SCS’s. A computation 
of a diagram iF is a run of W that has an associated accepting path. The set of 
all computations of is C{'F). 

3.1 Verification Conditions 

Associated with a GVD and a system S are verification conditions that, when 
valid, ensure that C{S) C £(<F). In this case, we say that iF is S-valid. 

— Initiation: Every initial state of S should be covered by some initial diagram 
node, that is, 

0 /i(/) , 

where I is the set of initial diagram nodes. This implies that every run of S 
can start at some initial node of >F. 

— Consecution: For every node n and every transition r, there is a successor 
node that can be reached by taking r (if r can be taken at all), that is, 

yi{n) A Pt — > p! {succ{n)) . 

Here, p'{succ{n)) is the result of replacing each system variable x in 
p{succ{n)) by x' . 

Together, these two conditions imply that every run of S can remain within W: 

Proposition 1. If a diagram I/ satisfies the initiation and consecution require- 
ment for a system S, then the runs of S are a subset of the runs of'P. 

Thus, once the above verification conditions are proved, we can conclude that 
any safety property of also holds for S. 

To preserve progress properties, a second set of verification conditions en- 
sures that every computation of the system can follow an accepting path in the 
diagram, that is, can always eventually remain in an accepting SGS. Thus, if an 
SGS S is not accepting, we must show that computations can always leave S, or 
cannot stay in S forever. 

For an SGS S, a tail {S)~ computation is a system computation that has a 
corresponding path tt in the diagram such that m/(7r) = S. An SGS is called 
transient if every taiZ (S')-computation can leave S (so it is also a tail(S')- 
computation, for an SGS S' S). 

We want to show that every non-accepting SGS is transient. An SGS can be 
shown to be transient in one of the following three ways: 
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— Just exit: An SCS S has a, just exit, if there is a just transition t such that 
the following verification conditions are valid: for every node m G S, 

yL{m) enabled{T) and tJ-irn) A pi- — *■ yi' {succ{m) — S) . 

This means that r is enabled and can leave the SCS at all nodes. We say 
that T is the just exit transition for S. 

— Compassionate exit: An SCS S has a compassionate exit, if there is a 
compassionate transition t such that the following verification conditions 
are valid: for every node m G S, 

p(m) ^ -^enabled{r) or y{rn) A pr ^ p! {succ{m) — S) , 
and for some node n G S, t is enabled at n: 

p{n) enabled{r) . 

This means that for every node in S, either r is disabled or r can lead out 
of S, and there is at least one node n where r can indeed leave S. We say 
that n is the exit node and r is the compassionate exit transition for S. 

— Well-founded SCS: An SCS S : {ni, . . . ,Uk} is well-founded if there exist 
ranking functions {(5i, . . . , (5^}, where each Si maps the system states into 
elements of a well-founded domain (Th such that the following verification 
conditions are valid: there is a cut-seijE of edges in S such that for all edges 
(ni,n 2 ) G E and every transition t, 

p{ni) A pr A p' {n2) <5i(V) A ^^(V) , 

and for all other edges (ni,n 2 ) ^ E in S and for all transitions r, 

p{ni) A pr A p' {n 2 ) <5i(V) ^ ^^(V) . 

This means that there is no tail (S)-compntation: it would have to traverse 
at least one of the edges in E infinitely often, which contradicts the well- 
foundedness of the ranking functions. 

We say that S has a fair exit if it has a just or a compassionate exit. Com- 
bined with consecution, the fair exit verification conditions ensure that a tail(S)- 
computation can always follow a path that leaves S. Any run of the system that is 
forced to stay within an SCS with a fair exit must be unfair. If S is well-founded, 
there can be no faiZ(S')-computations. We can now claim: 

Proposition 2. If a GVD W for a system S satisfies the initiation and conse- 
cution requirements, and all non-accepting SOS’s have a fair exit or are well- 
founded, then C{S) C C{E), that is, E is S-valid. 

^ A cut-set of an SCS S is a set of edges E such that every loop in S contains some 
edge in E (that is, the removal of E disconnects S). 
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Fig. 2. A GVD W for program LOOPS and property </?: □(y>0^^D(y> 
M)) 



Thus, to show that a given diagram W is 5-valid, the user must prove initiation 
and consecution, and specify, for each non-accepting SCS, one of the following: 

1 . a just exit transition r; 

2. a compassionate exit transition r and its exit node n; or 

3. well-founded ranking functions fy and a cut-set E that prove that the SCS 
is well-founded. 



Example 2. Figure El shows a GVD for the program LOOPS of Figure ID The only 
initial node is no- AT is a constant, where we assume M > 1. Encapsulation 
conventions , based on those of Statecharts IHiEHzl, are used to make diagrams 
more succinct. Nodes no and are part of a compound node which, together 
with n\ and n^, is part of a larger compound node. An assertion that labels a 
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compound node is added, as a conjunct, to its subnodes. Edges leaving (entering) 
a compound node are interpreted as leaving (entering) all of its subnodes. 

The runs of the diagram include all runs of program LOOPS. Initiation holds, 
since O implies y = 0 . The consecution conditions can also easily be proved: for 
instance, the only transitions enabled at node rii are the idling transition and 
transition mg, which when taken always leads to ri2. However, the diagram has 
runs that, for example, stay in node U2 forever. These are not computations of 
the program, because they are not fair. 

The diagram acceptance condition allows the transfer of progress properties 
from the diagram to the system, if the diagram is shown to be 5 -valid. The 
weakest acceptance condition that lets us prove 

^■■n{y> 0 ^On{y>M)) 

is T : {{no} , {ug}}. The presence of {no} means that computations of the 
diagram can stay at ng with y = 0 and never reach y > 0 . The inclusion of {uq} 
means that once a diagram computation leaves the safe haven of ng, it must be 
able to reach rig and stay there. 

Thus, to prove that the diagram is 5 -valid, we must show that all other SCS’s 
are transient: 

— It is straightforward to show that {ni}, {n2}, {n.3}, {n.4} and {n.5} have just 
exit transitions mg, mi, mg, m2 and £1, respectively. 

— The SCS {ni, ri2, n.3, n4} has compassionate exit transition £g, with exit node 
ng or n4. Transition £g is always enabled at ng and n4, leading out of the 
SCS, and is disabled at ni and U2- 

— The SCS {ni,n2} can be shown to be well-founded with ranking function 
6 i : X at both nodes. The value of x, always positive in this SCS, decreases 
along the edge (n2,ni), which is a cut-set for the SCS, and does not change 
along the other edges. 

— The remaining SCS’s are of the form {(ni, ri2, ng, 71,4), ng}, where (ni, . . . , 744) 

stands for any nonempty subset of {ni, . . . ,744}. They can be shown to be 
well-founded using the ranking function 5 i : M — y at all nodes. This is well- 
founded, since M > y within these SCS’s. For each SCS, the set of edges that 
leave 745 is the cut-set. These edges can only be traversed by transition £1, 
which increases y and thus decreases the well-founded order. The transitions 
on all other edges preserve the value oi y. □ 



3.2 (tf^, if) Property Satisfaction 

Section rm describes verification conditions that prove that £( 5 ) C £(>?'), that 
is, that the diagram defines a correct abstraction of the system. To prove the 
5 -validity of a property ip, it remains to show that all the computations of the 
diagram are models of ip, that is. 



cm c cm . 



36 



Zohar Manna et al. 



This check can be performed using standard w-automata model checking, if 
we can relate the nodes of the diagram with the atomic assertions in ip (the ones 
with no subformulas other than themselves). As in |HMSh5| . we do this using a 
propositional labeling, where a diagram node n can be labeled with a boolean 
combination b of atomic assertions of ip, if 

pin) — > b 

is valid. Given a propositional labeling, a GVD W can be seen as a finite-state 
^-automaton 'I'^, where each node is a state of the automaton, labeled with 
the given propositions. The property itself can be seen as an abstract property 
ip"^ over its propositions. For instance, the atomic assertions in (/? : □(?/ > 0 — > 
O n(y ^ ^)) are p : y > 0 and q '■ y > M, which are now regarded as 
propositions. The abstract property is then ip^ : □(p — > O D '?)■ 

In most cases, the node label justification is trivial, since the diagram is 
drawn with ip in mind and the atomic assertions of ip are usually already present 
in the node assertions (see Section EJ. 

Example 3. Gonsider again the GVD for program LOOPS in Figure|3 Let p ■. y > 0 
and q '■ y > M. Then we can label the nodes as follows: 

no : (proving p = 0 ^ ^(p > 0)) 

ni,n 2 ,ns,n 4 ,n 5 : true (no label is needed for these nodes) 
ne : q 

The resulting w-automaton is shown in Figure 13 The abstract property is 
ip^ : □ (p — > O n ?) ■ can now use finite-state model checking to automat- 
ically establish that satisfies ip-^ |K.ur<14l tBGM+92| . Thus, we have proved 
that p:D(p>0^^n(p> M)) is valid for program LOOPS. □ 

From an abstraction point of view, the propositional labeling ensures that 
the abstract properties model checked for imply the desired properties of the 




Fig. 3. Automata a propositional labeling of diagram W of Figure |2I 
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original system S. The diagram can then be seen as a weakly property-preserving 
abstraction of the system S tnrm . 

Once a diagram 'F is proved to be a correct abstraction, i.e. C{S) C £('?'), it 
can be used to transfer any property that can be model checked for the diagram 
over to the system S. 

Example 4- The diagram from Figure E]also lets us prove the 5-validity of 

□ ((4 Ay>0Ay<M) ^ <4)>x = 0) . 

In this case, we let p : io, q ■ y > r : y < M and s : x = 0, and label the nodes 
as follows: 

no ■■ ~^p (proving y = 0 ^ > 0)) 

ni, ri 2 : p A q Ar 
713,714 : s 

775 : (proving ii ~^io) 

no : ~^r (proving y > M ^ ~^{y < M)) 

We can now, as before, model check ■. \Ji{{p A q A r) O s) the 

resulting w-automaton □ 

4 GVD Templates 

As mentioned earlier, jMP^ provide different types of diagrams, depending on 
the type of temporal property being proved. In particular, invariance diagrams 
prove properties of the form □ p, for an assertion p; wait-for diagrams prove 
properties of the form D(p ^ (?m W ... W go); CHAIN prove response properties, 
of the form D(p ^ O'?)) that do not require the use of well-founded orders; 
and RANK diagrams prove response properties that do. Each type of verification 
diagram has different well-formedness constraints to ensure that the diagram 
satisfies the property. 

We can define GVD templates for the more common properties, similarly to 
special-purpose diagrams. For example, to prove an invariance Dp, the accep- 
tance condition includes all SCS’s, so no progress verification conditions need to 
be proved, and each node must be shown to satisfy p. The result is equivalent 
to the INVARIANCE diagrams of IHEHl. 

Example 5. Figure 0 provides a GVD template to prove formulas of the form 
n(P ^ O n '?)■ The acceptance condition is 

E : {{t7o},{772}} ■ 

Thus all SGSs appearing in this circle must be shown to be transient: they should 
have a fair exit or be well-founded. The diagram of Figure El is an instance of 
this template. □ 
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T : {{no},{ri 2 }} 



Fig. 4. GVD template to prove properties of the form □ (p — > O D ?) 

In general, the starting template for a GVD can be obtained from the ttm- 
poral tableau of p, a finite-state w-automaton that represents all the models of 
p (see, e.g. (HZHSI). 

In this case, the property satisfaction check is guaranteed to succeed, and the 
propositional labeling can be the identity. The user will have to prove consecution 
over this diagram, and show that all non-accepting SGS’s have a fair exit or are 
well-founded. The structure of the diagram can then be filled in, adding details 
according to the user’s understanding of the system. Verification diagrams can 
be constructed and checked incrementally. Since the verification conditions are 
local to the diagram, portions of the diagram can be formally verified, while 
others are edited until they can be proved correct or an error is found in the 
system being verified (see Section EJ. 



5 Related Work 

While verification diagrams give a direct proof that all computations of a system 
satisfy the property <p, deductive model checking (DMG) jS I J IVI shows that no 
computation can satisfy its negation. This is done by transforming a falsification 
diagram, which represents the product of a system abstraction and the tableau 
for The system abstraction is refined, as necessary, until the property is 
proved or a counterexample is found. At any given point, the falsification diagram 
includes all the computations of the system that may possibly violate p. 

While a GVD shows that every computation of S can follow an accepting 
path through the diagram, DMG shows that every computation of S must end 
in an unsuitable SGS in the product graph. 

Property-preserving abstractions for reactive systems are discussed in, for in- 
stance, |GG!Mli7is^ina,mfifi| . For a more extensive discussion of deductive- 
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algorithmic verification and abstraction, see mnnEi. See |Sip98| for more on de- 
ductive model checking, diagrams, and their application to the verification of 
real-time and hybrid systems. 



6 Implementation: The STeP System 

The Stanford Te mporal Prover (STeP ) is a tool for the temporal verification of 
reactive systems |RRC+9fil lMRRT^. STeP parses SPL programs into fair tran- 
sition systems, or can take transition systems directly as input. STeP includes 
verification rules and diagrams, automatic invariant generation, and symbolic 
and explicit-state LTL model checking. 

The latest version of STeP, 2.0, features a Java graphical user interface that 
facilitates the construction and verification of diagrams, including GVD’s (cur- 
rently, using Streett acceptance conditions) . The system automatically generates 
the required verification conditions and performs the required cu-automata model 
checking step. The diagram editor is closely integrated with the proof editor, so 
that the user can visualize the portions of the diagram that are proved and 
unproved as the diagram is incrementally constructed. 

STeP provides integrated first-order automated reasoning and decision pro- 
cedures mm to facilitate the proof of verification conditions. STeP also uses 
these procedures for the generation of finite-state abstractions EnnU- STeP can 
verify real-time and hybrid systems IRMS U 971 IMS9111 . and is being extended to 
include modular specification and verification [KIVIS9Sj . 

STeP is freely available for research and educational use. For more informa- 
tion, see the STeP web pages, at: 



http : //www-step . Stanford . edu 
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Abstract. A metalanguage for concurrent process languages is intro- 
duced. Within it a range of process languages can be defined, including 
higher-order process languages where processes are passed and received 
as arguments. The metalanguage is provided with two interpretations 
both of which can be understood as categorical models of a variant of 
linear logic. One interpretation is in a simple category of nondeterministic 
domains; here a process will denote its set of traces. The other interpre- 
tation, obtained by direct analogy with the nondeterministic domains, 
is in a category of presheaf categories; the nondeterministic branching 
behaviour of a process is captured in its denotation as a presheaf. Every 
presheaf category possesses a notion of (open-map) bisimulation, pre- 
served by terms of the metalanguage. The conclusion summarises open 
problems and lines of future work. 



1 Introduction 

Over the last few years, Gian Luca Gattani and I have worked on presheaf models 
for interacting processes, culminating in Gattani’s forthcoming PhD thesis |2|. 
The work started from the general definition of bisimulation via open maps in CH 
which suggested examining a broad class of models for concurrency — presheaf 
categories. Later we realised that presheaf models can themselves be usefully 
assembled together in a category in which the maps are colimit-preserving func- 
tors. There are two main benefits: one is a general result stating that colimit- 
preserving functors between presheaf categories preserve open maps and bisimu- 
lation 1^; the other that the category of the presheaf models is a form of domain 
theory for concurrency, with a compositional account of bisimulation, though at 
the cost that domains are categories rather than special partial orders 1170. 

We originally concentrated on the category of presheaf categories with colimit- 
preserving functors (or equivalently, the bicategory of profunctors). We’ve come 
to realise that by shifting category, to presheaf categories with connected-colimit 
preserving functors, a lot of our work can be done more systematically. (A con- 
nected colimit is a colimit of a nonempty connected diagram.) In particular the 
new category supports a metalanguage in which many of our constructions can 
be defined once and for all. This is not the only way the metalanguage saves work. 
Its terms will automatically preserve connected colimits. The metalanguage sup- 
ports recursive definitions because w-colimits are examples of connected colimits. 

* Basic Research in CS, Centre of the Danish National Research Foundation. 
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Connected-colimit preserving functors preserve open-map bisimulation. Conse- 
quently terms of the metalanguage preserve open-map bisimulation; if two terms 
which are open-map bisimilar are substituted for the same variable in a term of 
the metalanguage then the resulting terms will be open-map bisimilar. 

The metalanguage can be interpreted in a wide range of categories. To spare 
some of the overhead of working with presheaf categories the metalanguage will 
first be interpreted in a simple category of nondeterministic domains. Equality of 
terms in this model will coincide with trace equivalence. However the nondeter- 
ministic domains are mathematically close to presheaf categories. With a switch 
of viewpoint, essentially the same constructions lead to an interpretation of the 
metalanguage in presheaf categories with connected-colimit preserving functors, 
for which open-map bisimulation is an appropriate equivalence. 



2 Presheaf Models Sketched 

Let P be a small category. The category of presheaves over P, written P, is the 
category [P°^’, Set] with objects the functors from V°p (the opposite category) 
to Set (the category of sets and functions) and maps the natural transformations 
between them. 

In our applications, the category P is thought of as consisting of abstract 
paths (or computation-path shapes) where a map e : p — > p' expresses how the 
path p is extended to the path p' . In this paper the categories over which we 
take presheaves will be (the category presentation of) partial orders; the way a 
path p extends to a path p' will be unique and a map from a path p to a path 
p' simply a witness to p < p' in the partial order. 

A presheaf X : > Set specifies for a typical path p the set X{p) of 

computation paths of shape p. The presheaf X acts on e : p ^ p' in P to give a 
function X(e) saying how p'-paths in X restrict to p-paths in X. In this way a 
presheaf can model the nondeterministic branching of a process. 

Bisimulation on presheaves is derived from notion of open map between 
presheaves mm- Open maps are a generalisation of functional bisimulations, 
or zig-zag morphisms, known from transition systems m- Presheaves in P are 
bisimilar iff there is a span of surjective (i.e., epi) open maps between them. 

Because the category of presheaves P is characterised abstractly as the free 
colimit completion of P we expect that colimit-preserving functors between 
presheaf categories to be useful. They are, but not all operations associated with 
process languages preserve arbitrary colimits. Prefixing operations only preserve 
connected colimits while parallel compositions usually only preserve connected 
colimits in each argument separately. However, the preservation of connected 
colimits is all we need of a functor between presheaf categories for it to preserve 
bisimulation. 

Proposition 1. m Let G : P ^ Q he any connected- colimit preserving functor 
between presheaf categories. Then G preserves surjective open maps and open- 
map bisimulation. 
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Define Con to be the category consisting of objects partial orders P, , with 
maps 5 : P ^ Q the connected-colimit preserving functors 5 : P ^ Q between 
the associated presheaf categories, and composition the usual composition of 
functors. Define Col to be the subcategory of colimit-preserving functors. 



3 Categories of Nondeterministic Domains 

We obtain nondeterministic domains by imitating the definitions on presheaves 
but replacing Set by the much simpler partial order category 2 with two elements 
0, 1 ordered by 0 < 1. 

Instead of presheaves P = [P°p, Set] we now obtain P = [P°^,2], functors, 
and so monotonic functions from P°^ to 2. It’s not hard to see that an object 
a; of P corresponds to a downwards-closed set given by {p S P | x{p) = 1}, 
and that a natural transformation from a; to y in P corresponds to the inclusion 
of {p G P I x{p) = 1} in {p G P I y(p) = 1}. So we can identify P with the 
partial order of downwards-closed subsets of P, ordered by inclusion. Thought 
of in this way it is sensible to think of P as a nondeterministic domain in the 
sense of 0; the order P has joins got simply via unions so it is certainly a cpo, 
with least element 0 , and we can think of the union operation as being a form of 
nondeterministic sum. It’s worth remarking that the domains obtained in this 
way are precisely the infinitely-distributive algebraic lattices (see e.g. m) and 
that these are just the same as the prime algebraic lattices of \m, and free join 
completions of partial orders. 

There are several choices about what to take as maps between nondetermin- 
istic domains. If we eschew “fairness”, the most generous we seem to have call for 
is that of all Scott-continuous functions between the domains. We are interested 
in maps which are just broad enough to include those operations we associate 
with interacting processes, operations such prefixing of actions, nondeterminis- 
tic sum and parallel composition, so we look for a narrower class of maps than 
continuous functions. 



3.1 The Category X>oms 

On mathematical grounds it is natural to consider taking maps between nonde- 
terministic domains which preserve their join structure, to choose functions / 
from P to Q which preserve all joins, i.e. so f{\jX) = Ua;Gx/(*)- Such func- 
tions (known often as additive functions) compose as usual, have identities and 
give rise to a category rich in structure. Call this category 'Dom.s and write 
/ : P Q for a map in Honis, standing for an additive function from P to Q. 
Notice that such maps can be presented in several different ways. Because such 
maps preserve joins they are determined by their results on just the “complete 
primes” , elements p J, G P, for p G P, such that 

P Up') = 1 if < Pj and 0 otherwise. 
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Let / : P Q, so / : P ^ Q, and write /° : P — > Q for its restriction such that 
f°{p) = f{pi): for G P- As every element a: of P is the join we see 

that 

fix) =[j rip) . 

pGx 

In this way maps / : P Q correspond to monotonic functions /° : P ^ Q. 
But monotonic functions 5 : P ^ Q are just the same as monotonic functions 
g : P — > [Q°P , 2] and, uncurrying, these correspond to monotonic functions h : 
P X 0°^’ — > 2 and so to elements of P°p x Q = [(P°p x Q)°^’,2]. This suggests 
that P°P X Q is a function space, as indeed is so. 

The category T>om.s is monoidal-closed and in fact carries enough structure 
to be a categorical model of classical linear logic, the involution of linear logic, 
P-*-, being given as V°p. The tensor of P and Q is given by the product of partial 
orders P x Q and the function space from P to Q by P°^ x Q. Its products 
and coproducts are both given by disjoint unions on objects; for example the 
usual product of domains P x Q is easily seen to be isomorphic to P + Q, the 
nondeterministic domain of the disjoint union P + Q. 

3.2 Lifting 

One important construction on domains, that of lifting, is missing. Lifting a 
domain places a new bottom element below a domain. We can achieve this by 
adjoining a new element T below a copy of P to obtain Pj_; a way to realise this 
is by taking T to be the empty set 0 and the copy of P to be {p J, | p G P} so 
that the order of Pj_ is given simply by restricting the order of P. Operations on 
processes, notably prefixing and parallel composition, make essential use of an 
operation associated with lifting. The operation is the function 

[-J : P ^ p1 

such that [a;J(T) = 1 and [a;J(pJ.) = x{p) for a; G P. But the function [— J is 
not a map from P to Pj^ in Poms as it does not preserve all joins; the problem 
occurs with the join of the empty set IJ 0, the least element of P, which is not 
sent to the least element of Pj_ . 

3.3 The Category Pom 

To accommodate the function [— J we are forced to move to a slightly broader 
category, though fortunately one that inherits a good many properties from 
Pomg. The category Pom has the same objects, partial orders, but its mor- 
phisms from P to Q, written / : P ^ Q, are functions / : P ^ Q which need 
only preserve nonempty joins, or more accurately, joins of non-empty sets. 

Maps P — > Q in Pom are determined by their action on 0 and p J,, for 
p G P. This is because any a; G P is trivially the nonempty join with the least 
element 0 U Given the way to represent Pj_ as consisting precisely of 
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the elements 0 and p[, for p S P, there is an embedding j : Pj_ ^ P. So any 
map / : P ^ Q is determined by its restriction f o j : P_l — > Q. The restriction 
f o j is clea^ monotonic. Moreover any monotonic function g : Pj_ — *■ Q has 
an extensioid 5 '^ : P — > Q in T>om given by g\x) = Upe[Kj 9(P 1) a; G P- 
The two operations (— ) oj and (— )^ are mutually inverse. Consequently maps 
P — > Q in T>om correspond bijectively to maps Pj_ — >s Q in Porngfl and so to 
elements in (Pj_)°p x Q. 

3.4 Fixed Points 

The set of maps in T)om from a path order P to one Q inherits an order from 
elements of the function space (Pj_)°p x Q. Operations of the category T>om 
will come to preserve nonempty joins of such maps and, in particular, joins of 
w-chains. Hence operations F of T)om taking maps P ^ Q to maps P ^ Q will 
have least fixed points fix F : P ^ Q. 

3.5 Intuition 

How is one to think of the category Pom? The interpretation we’ll give and the 
way in which we define denotational semantics to process languages will have 
some novelty, though similar uses of categories of nondeterministic domains have 
been made (see for instance 0). An object P is to be thought of as consisting of 
finite computation paths (each one a “trace” in the sense of |H|), for example the 
finite string of actions that a CCS or CSP process might perform. The partial 
order p < p' on P is thought of as saying that the computation path p can be 
extended to the computation path p' . With this intuition in mind we shall call 
the objects of Pom path orders. An element of P is a trace set as in 0 and 
stands for the set of computation paths a nondeterministic process can perform. 

A map / : P — > Q takes a nondeterministic process with computation paths 
in P as input and yields a nonderministic process with computation paths in Q 
as output. How is one to understand that a map preserves joins of nonempty 
sets? Because the map need only preserve nonempty joins it is at liberty to ig- 
nore the input process in giving nontrivial output. Because the map preserves 
all nonempty joins the interaction with the input process has to be conducted 
in a linear way; the input process cannot be copied to explore its different non- 
deterministic possibilities, so once started it can only follow a single course of 
computation, during which it may be interacted with intermittently. It’s help- 
ful to think of a map in 'Dom as a context which surrounds an input process 
interacting with the input process occasionally and sometimes interacting with 
its own environment; whichever computation path the output process (the con- 
text surrounding the input process) follows it can only involve the input process 
following a single computation path. 

^ In fact, the left Kan extension along j. 

^ The correspondence is natural in P and Q making Horn the coKliesli category asso- 
ciated to the comonad (— )u on Donis and a reflective subcategory of Homs. 
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4 Constructions on Path Orders 

4.1 Tensor 

The tensor of path orders P® Q is given by the set (Pj_ x Q_l ) \ {(-L, -L)}, ordered 
coordinatewise, in other words, as the product of Pj_ and Qj_ as partial orders 
but with the bottom element (-L, -L) removed. 

Let / : P ^ P' and g : Q — >■ • We define / (g)g:P(g)(!2^P'(g)(!2' as the 

extension (c/. Section 1,1. .4) W of a monotonic function 

h : (P (g) Q)j_ ^ P'^’g^ . 

Notice that (P<g Q)j_ is isomorphic to the product as partial orders of Pj_ x Qj_ 
in which the bottom element is then (_L,_L). With this realisation of (P (g Q)j_ 
we can define h : Pj_ x Qj_ — > P' g) O' by taking 

{h{P,<l)){p\q') = [f{p)\{p') X L5(9)J(9') 

for p G P_L, q G Qj_ and {p' , q') G P' g O' — on the right we use the product, or 
meet, of2, so0x0 = 0xl = lx0 = 0 and 1x1 = 1. 

The unit for tensor is the empty path order O. 

Elements a; G P correspond to maps i : O — > P sending the empty element 
to X. Given a; G P and y G Q we define a;g?/GPgQtobe the element pointed 
to by a; g p : O ^ P g Q. 



4.2 Function Space 

The function space of path orders P ^ Q is given by the product of partial orders 
(Pj_)°P X Q. Thus the elements of P ^ Q are pairs, which we write suggestively 
as (p I— > q), with p G P_L, g G Q, ordered by 

(p' I— > q') < (j> q) <1=^ P < p' q' < q 

— note the switch in order on the left. 

We have the following chain of isomorphisms between partial orders: 

PgQ— oK=(Pg Q)j_ X E = Pj_ X Q_l X E = P ^ (Q ^ E) . 

This gives isomorphism between the elements P g Q — ° E and P — ° (Q — o E) . 
Thus there is a 1-1 correspondence curry from maps P g Q — > E to maps P ^ 
(Q — o E) in Horn; its inverse is called uncurry. We obtain linear application, 
app : (P ^ Q) g P ^ Q, as uncurry (Ip ^q). 
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4.3 Products 

The product of path orders P&Q is given by the disjoint union of P and Q. An 
element of P&Q can be identified with a pair (x, y), with x € P and y G Q, which 
provides the projections tti : P&Q ^ P and tt 2 : P&Q ^ Q. More general, not 
just binary, products Pi with projections 7Tj, for j G I, are defined similarly. 
From the universal property of products, a collection of maps /i : P ^ Pi, for 
i G I, can be tupled together to form a unique map : P ^ &jg/Pi with 

the property that nj o {fi)i^i = fj for all j G I. The empty product is given by 
O and as the terminal object is associated with unique maps P ^ O, constantly 
0, for any path order P. Finite products are most often written as Pi& • • • &Pfc- 
Each object P is associated with (nondeterministic) sum operations, a map 
^ ■ &ig/ P ^ P in Vom taking an element of the domain, viewed as a tuple 
{xi I i G I}, to its union IJigj Xi in P. The empty sum yields 0 G P. Finite sums 
are typically written as xi + • • • + Xfe. 

Because there are empty elements we can define maps in Poms from products 
to tensors of path orders. For instance, in the binary case, a : P&Q P® Q in 
Poms is specified by 

(x, y) 1 -^ (x (g) 0) + (0 (g) y) . 

The composition of such a map with the diagonal map, viz. 

P P&P P 0 P 

will play a role later in the semantics of the metalanguage, allowing us to dupli- 
cate arguments to maps of a certain kind. 

4.4 Lifted Sums 

The category Pom does not have coproducts. However, we can build a useful sum 
in Pom with the help of the coproduct of Poms and lifting. Let Pi, for i G I,he 
a family of path orders. As their lifted sum we take the disjoint union of the path 
orders over the underlying set Uie/iO ^ (IPj)-L J the latter path order 

forms a coproduct in Pomg with the obvious injections iuj : Pjj_ ->-s T'ig/Pi_i_, 
for j G I. The injections Inj : Pj ^ Aig/Pi_i_ in Pom, for j G I, are defined 
to be the composition Inj{—) = inj{\—\). This construction is not a coproduct 
in 'Dora. However, it does satisfy a weaker property analogous to the universal 
property of a coproduct. Suppose /i : Pi ^ Q are maps in Pom for all i G I. 
Then, there is a unique mediating map 

/ : T'ig/Pi_i_ — >s Q 

in Poms (note the subscript) such that 



f o In, = f. 



for all i G I. 
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Suppose that the family of maps /i : Pi ^ Q, with i G I, has the property 
that each fi is constantly 0 whenever i G I is different from j and that fj is 
h-.Vj^ Q. Write [h]j : Y.iei ^ Q for the unique mediating map obtained 
for this choice. Then 

[h]j{Irij{z)) = h{z) , [h]j{Ini{z)) = 0 if z yf j , and [ft.]y(0) = 0 . 

For a general family fi : Vi ^ Q, with i G I, we can describe the action of 
the mediating morphism on a; G T’ig/Pij_ as f{x) = Si^j[fi]i{x). 

Because lifted sum is not a coproduct we do not have that tensor distributes 
over lifted sum to within isomorphism. However there is a map in T>om.s 

dist : Q 0 T'ig/Pi_i_ — >g ® Pi)j_ j 

expressing a form of distributivity, given as the extension of the function 
h:Q±x (T'jg/Pj_L)_L ^ Si(zi{Q(^Vi)±; h{q, (i,p)) = {i, (q,p)) h{q,±) = 0 . 

Unary lifted sums in I?om, when J is a singleton, are an important special 
case as they amount to lifting. 

4.5 Recursive Definitions 

Suppose that we wish to model a process language rather like CCS but where 
processes are passed instead of discrete values, subject to the linearity constraint 
that when a process is received it can be run at most once. Assume the synchro- 
nised communication occurs along channels forming the set A. The path orders 
can be expected to satisfy the following equations: 

P = P_L -|- , C = P®P, F=(P — oP). 

The three components of process paths P represent paths beginning with a silent 
(r) action, an output on a channel (a!), resuming as a concretion path (in C), 
and an input from a channel (a?), resuming as an abstraction path (in F). It is 
our choice of path for abstractions which narrows us to a linear process-passing 
language, one where the input process can be run at most once to yield a single 
(computation) path. 

Fortunately the simple technique for solving recursive domain equations via 
information systems in H2] suffices to solve such equations. A path order P 
can be regarded as an information system in which every finite subset of P is 
consistent and in which the entailment relation is given by the partial order < 
of P, so {p'} h p iff p < p'. Path orders under the order 

P < Q <s=^ P C Q & (Vp,p' G P. p <p p' p <Q p') 

form a (large) cpo with respect to which all the constructions on path orders we 
have just seen are continuous (their continuity is verified just as in information 
systems by showing them monotonic w.r.t. < and “continuous on token sets”). 
Solutions to equations like those above are then obtained as (simultaneous) least 
fixed points. 
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5 A Metalanguage 

Assume that path orders are presented using the constructions with the following 
syntax: 

T ::=0 I Ti T2 | Ti — o T2 | Si^jTij_ \ T1&T2 

I P I Mi-Pir • ■ • • • , Tfe) 

All the construction names have been met earlier with the exception of the nota- 
tion for recursively defined path orders. Above P is drawn from a set of variables 
used in the recursive definition of path orders; • • • , Pfc-(Ti, • • • , T^) stands 

for the j-component (so 1 < j < A:) of the <-least solution to the defining 
equations 

Pi = Ti, • • • , Pfc = Tfc , 

in which the expressions may contain Pi,---,Pk- We shall write 

fj.Pi, ■ ■ ■ , Pfe.(Ti, • • • , Tfe) as an abbreviation for 



(MI^I) • • • ) Pk-i^l, ■ ■ ■ , Tfc), • • • , fJkPl, ■ ■ ■ , Pk-i^l,- ■ ■ , Tfc)) • 

In future we will often use vector notation and, for example, write fi'P for 
the expression above, and confuse a closed expression for a path order with the 
path order itself. 

The operations of Sections 0 and 0 form the basis of a “raw” syntax of terms 
which will be subject to typing and linearity constraints later: 



::= x,y,z,--- 

0 I I 

rec x.t I 
Xx.t \ u • V I 

I [t>Inj{x)^u] I 
{t,u) I [t > (a:,-) ^ u] I 
[t > (~,x) => u] I 
t0u I [t > X (^y ^ u] 



(Variables) 

(Sums) 

(Recursive definitions) 

(Abstraction and application) 
(Injections and tests for lifted sums) 

(Pairing and tests for products) 
(Tensor operation and tests) 



The language is similar to that in |P, being based on a form of pattern matching. 
In particular [t > Irij (x) u] “tests” or matches t denoting an element of a lifted 
sum against the pattern Inj{x) and passes the results of successful matches for x 
on to It; how the possibly multiple results of successful matches are combined to 
a final result varies according to the category in which language is interpreted. 
Accordingly, variables like x in such patterns are binding occurrences and bind 
later occurrences of the variable in the body, u in this case. We shall take for 
granted an understanding of free and bound variables, and substitution on raw 
terms. In examples we’ll allow ourselves to use -I- both in writing sums of terms 
and lifted sums of path orders. 

Let Pi,---,Pfe be closed expressions for path orders and assume that the 
variables xi, - ■ ■ ,Xk are distinct. A syntactic judgement 



a;i : Pi, • • • ,a;fe : Pfc h f : Q 
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stands for a map 

[xi : Pi, • • • , Xfc : Pfe P f : Q] : Pi 0 • • • 0 Pfc ^ Q 

in T>om. We shall typically write F, or A, for an environment list 

xi : Pi, ■ ■ ■ ,Xk ■ Pfe. We shall most often abbreviate the denotation map to 

Pi (g) ■ • ■ 0 Pfc Q , or even F Q . 

Here k may be 0 so the list in the syntactic judgement is empty and the corre- 
sponding tensor product the empty path order O. 

A linear language will restrict copying and so substitutions of a common term 
into distinct variables. The counterpart in the models is the absence of a suitable 
diagonal map from objects P to P (g P. For example the function x ^ x®x from 
P to IP 0 P is not in general a map in Pom. To see this assume that P is the 
discrete order on the set {a, b}. Then the nonempty join a; = aJ,U6J,is not sent 
to 

(a|0 ai) U (6|0 6|) = {(a, a), (6, 6),(a,T), (T,6)} 
as would be needed to preserve non-empty joins, but instead to 

a; 0 a; = {(o, a), (6, 5), (a, b), (a, T), (T, b)} 

with the extra “cross term” (a, b). Consider a term t{x, y), with its free variables 
X and y shown explicitly, for which 

a; : P,y : P h t{x,y) : Q , 

corresponding to a map P0P > Q in Pom. This does not generally entail 

that 

a; : P h t{x, x) : Q 

— there may not be a corresponding map in Pom, for example if t{x, y) = x®y. 
There is however a condition on how the variables x and y occur in t which 
ensures that the judgement a; : P h t{x, x) : Q holds and that it denotes the map 
in Pom obtained as the composition 

P > P&P -2-^ P 0 P > Q 

— using the maps seen earlier in Section n~TTl Semantically, the map P0P > 

Q has to be essentially a map P&P ^ Q, more precisely the left Kan extension 
of such a map along a. Syntactically, this is assured if the variables x and y are 
not crossed in t according to the following definition: 

Definition 2. Let t be a raw term. Say a set of variables V is crossed in t iff 
there are subterms of t of the form 

a tensor s 0 u, an application s • u, or a test [z > u s] 

for which t has free occurrences of variables from V appearing in both s and u. 
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For example, variables x and y are crossed vci x ® y, but variables x and y 
are not crossed in {x + y)® z. Note that a set of variables V is crossed in a term 
t ifV contains variables x, y, not necessarily distinct, so that {x, y} is crossed in 
t. We are mainly interested in when sets of variables are not crossed in a term. 

The term-formation rules are listed below alongside their interpretations as 
a constructors on morphisms, taking the morphisms denoted by the premises to 
that denoted by the conclusion. We assume that the variables in any enviroment 
list which appears are distinct. 

Structural rules: 



x : r X ■. 



, interpreted as 



Z\ h t : P 

r, zi h t : 



, interpreted as 



Z\ 



r®A 



r, X : V , y : Q, A \- t : R ■ . ,, 



Via s : 



F( 



O Z\ ^ Z\ 

^ P (g) Q as 

g A E 



rg)Q(gPg)Z\ 

Recursive path orders: 

r h t : Tjifx'P .'f /V] rht-.pj'P.'f 



>A 



r \~ t : 



rht-.TjipV.f/V] 



where the premise and conclusion of each rule are interpreted as the same map 
because and Tj[iiP.~^/l^] denote equal path orders. 

Sums of terms: 

P ^ ^ — p j interpreted as ^ — 0 — ^ i the constantly 0 map. 

r h : P for alH e / i^tcrorctcd a-' ^ ^ ^ ^IH S / 

r h : P ’ I’^terpreted as ^ 

Recursive definitions: 



& 



iGl ^ 



T( 



as 



r 



r, X : V \- t : V iy.x} not crossed for all w in T . , , , 

^ —5 ^ , interpreted 

1 h ree x.t : P 

— see Section IrCT where for F ^ ) P the map F{g) is the composition 
F ) FkF F®F > r (g P P . 



fix F 



Abstraetion: 



F, x : V \- t : Q 
F h Xx.t : P — o Q ’ 



F®V Q 

F curry t , (p ^ Q) ' 



interpreted as 
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Application: 



_ri-M:P^(QZ\|-r;:P 

r,A\-u-v:Q 



, interpreted as 



r 

r®A 




Injections and test for lifted sums: 



r \- t :Vj , where j G I 
r h Injit) : Z'jg/Pj_L 



interpreted as 



r A — s, p^. ^ where j G I 
r P^- ■ 



r, a: : Pj h u : Q , where j G I. AG t : J2iei ^»-L 



, interpreted as 



r, A G [t > Inj (x) m] : Q 

r 0 Pj Q , where j G I. A 



eiAlA. 



^0AA^^^0J2^^JV,^ 
Pairing and tests for products: 



dist 



^iciir 0 Pi)j 



r h f : P PGu:Q 
r G (t,u) : P&Q 



, interpreted as 



r -A^ p r Q 
r > p^ 



r,a::PhM:IR AGt: PfcQ 
Z\ h [t > (x, — ) u] : K ’ 



interpreted as 



P0V R PfcQ 

r0 A AlMiiAL^ P 0V K ■ 



r, X : Q G u : M. Z\ht: PfcQ 
-T, Z\ h [t > (— , x) =i> u] : IR ’ 



interpreted as 



P0Q K A -A^ P&Q 
F0A Ai M^^°G , P0Q R ■ 

Tensor operation and test for tensor: 



TGt:V Z\ h M : Q 
r, AGt0u:V0Q 



r -A^ P Zi Q 
interpreted as ^ ^ ^ p ^ ^ ■ 



r,a::P,i!;:QhM:IR Z\hf:P(g)Q 
Z\ h [t > a; (8> y m] : K ’ 



interpreted as 



P0V0Q-!^W Z\-^P(g)Q 
r0A Arm^ r0V0Q k ’ 



Proposition 3. Suppose _T, a; : P h t : Q. The set {a;} is not crossed in t. 
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Lemma 4. (Well- formed substitutions) Suppose 

r,xi : P, • • • , Xfc : P h i : Q 

and that the set of variables {xi, • • • , Xk} is not crossed in t. Suppose Z\ h m : P 
where the variables of F and A are disjoint. Then, 

r,A\~ t[u/xi, ■ ■ ■ ,u/xk] : Q . 

In particular, as singleton sets of variables are not crossed in well-formed 
terms we immediately deduce: 

Corollary 5. // T, x : P h t : Q and Z\ h u : P, where the variables of F and A 
are disjoint, then F, A \- t[u/x] : Q. 

Exploiting the naturality of the various operations used in the semantic def- 
initions, we can show: 

Lemma 6. (Substitution Lemma) Suppose F, x : V \~ t : Q and Z\ h m : P where 
F and A have disjoint variables. Then, 

IF, Ah t[u/x] : Q] = |r,x : P h t : Q] o (Ir (g) [Z1 h M : P]) . 

In particular, linear application amounts to substitution: 

Lemma 7. Suppose F h (Xx.t) • u : Q. Then, F h t[u/x] : Q and 

IE h {Xx.t) . M : Q1 = [r h t[u/x] : Q] . 

5.1 Extending the Metalanguage 

General patterns are well-formed terms built up according to 

p ::= X I 0 I Inj{p) | p 0 g | (p, -) | (-,p) | p p' . 

A test on a pattern [u > p ^ t] binds the free variables of the pattern p to 
the resumptions after following the path specified by the pattern in u; because 
the term t may contain these variables freely the resumptions may influence the 
computation of t. Such a test is understood inductively as an abbreviation for a 
term in the metalanguage: 

[u> X ^ t] = (Xx.t) ■ u , [u > 0 t] = t , 

[u > Inj{p) t] = [m > Inj{x) [x > p t]] for a fresh variable x, 

[u > (p, — ) t] = [u > (x, — ) [x > p t]] for a fresh variable x, 

[u > (— ,p) t] = [u > (— , x) [x > p t]] for a fresh variable x, 

[u>p®q^f\ = [u>x®y^[p>x^[q>y^ t]]] for fresh variables x, y, 
[u > (p I— > g) t] = [u > / [/ • p > g t]] for a fresh variable /. 

Let Xx®y.t stand for Aw.[w > x®y ^ t], where w is a fresh variable, and write 

[ui > pi, ■ ■ ■ ,Uk > Pk ^ t] to abbreviate [ui > pi ^ [■ ■ ■ [uk > Pk ^ t] • ■ •]. 
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5.2 Interpretation in Con 

We can interpret the metalanguage in the category of presheaf models Con with 
essentially the same constructions and operations as those in Pom, once we 
replace 2 by Set and understand (nonempty) joins as (connected) colimits; the 
category of presheaf models Col will play the role of Pomg. Because now domains 
[P°P, 2] are replaced by presheaf categories [P°p, Set] we shall often have to make 
do with isomorphism rather than straight equality. 

In fact, to mimic the mathematics behind the interpretation of the meta- 
language in Pom, all that’s required of a category V, in place of 2, is that it 
has all colimits and all finite products. Now P, taken to be [P°^, V], will have all 
colimits, in particular coproducts to interpret (nondeterministic) sums, and will 
also support left Kan extensions to play the role of (— )^. We can understand the 
embedding (— ) J, : P ^ P through the initial and terminal objects 0 and 1 of V. 
The lifting map [— J : P ^ P, again defined so [x\ (_L) = 1 and [x\ {p ],) = x{p), 
will preserve connected colimits. Using the product of V, instead of that of 2, 
we can copy the definition of the functor 

The advantage of this generality is that objects in the category V don’t just 
have to say whether a path is present in a process but can provide a “measure” 
of how. If V is Set a process will denote a presheaf X which identifies the set of 
different ways X(p) in which a path p is realised. 

6 Examples 
6.1 CCS 

As in CCS, assume a set of labels A, a complementation operation producing d 
from a label a, with d = a, and a distinct label t. In the metalanguage we can 
specify the path order P as the <-least solution 

P = Pj_ -|- UagAlP-L + ■ 

Write the injections from P into its expression as a lifted sum as r.t, a.t and d.t 
for a G A and term t of type P. The curried CCS parallel composition can be 
defined as the following term of type P ^ (P ^ P) in the metalanguage: 

Par = rec P. XxXy. XJa^Au{T}[x > ce-x' a.{P • x' • y)]-l- 

^a&Au{T}[y > a.y' a.{P ■ x ■ y')] + 

XaeA[x > a.x', y > d.y' ^ r.(P • x' ■ y')] . 

The other CCS operations are easy to encode. Interpreted in Pom two CCS 
terms will have the same denotation iff they have same traces (or execution 
sequences). By virtue of having been written down in the metalanguage the 
operation of parallel composition will preserve open-map bisimulation when in- 
terpreted in Con; for this specific P, open-map bisimulation coincides with strong 
bisimulation. In Con we can recover the expansion law for general reasons: the 
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Substitution Lemmas EQ bold in Con, though with isomorphism replacing equal- 
ity; the mediating morphism associated with lifted sums are now in Col (the 
analogue of IDonis ) so that tests for lifted sums distribute over nondeterministic 
sums. In more detail, write X\Y for Par ■ X ■ Y, where X and Y are terms of 
type P. Suppose 

Using Lemma d and then that the tests distribute over nondeterministic sums, 

X\Y =Sa^Au{T}[X > a.x' ^ a.{x'\Y)] + Sa^Au{T}[Y > a.y' ^ a.{X\y')] 

+ Sa(zA[X > a.x', Y > a.y' ^ T.{x'\y')] 

— Ya^AU{r} (^Oi.)^'{,Xi\Y^ X(^^AU{r}Yj^J(^a'jOi.(^X\Yj^ 

+ YaeAYi^I(^a),j&J{a)T.{Xi\Yj) . 

The equation for the path order for CCS with early value-passing would be 
very similar to that above. An equation suitable for late value-passing is 

P = P_L + Ya^A.vSiV'^ X + Xa^A{Xy^v^±)± i 

though this is not the same equation as in m which has as the 

final component — perhaps the metalanguage should be broadened to allow this. 

6.2 A Linear Higher-Order Process Language 

Recall the path orders for processes, concretions and abstractions for a higher- 
order language in Section I4.,5t We are chiefly interested in the parallel composi- 
tion of processes, Parp^p of type P 0 P ^ P. But parallel composition is really 
a family of mutually dependent operations also including components such as 
Parp^c of type F 0 C ^ F to say how abstractions compose in parallel with 
concretions ete. All these components can be tupled together in a product using 
&, and parallel composition defined as a simultaneous recursive definition whose 
component at P 0 P ^ P satisfies 

P\Q =S4P > a.P' => a{P'\Q)] + 

Xa[Q > a.Q' a{P\Q')]-\- 

Sa[P > alF, Q>a\S®R^ t.{F ■ S'li?)]-^ 

Sa[P >a\S®R, Q> alF ^ t.{R\F ■ 5)] , 

where we have chosen suggestive names for the injections and, for instance, P\Q 
abbreviates Parp^p- (P®Q). In the summations a £ A and a ranges over a!, a?, r 
for a £ A. 

7 Problems 

The interpretation of the metalanguage in Con provides a base from which to 
examine its equational theory and operational semantics. We should update the 
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treatment of bisimulation in |21 to take better account of Con and the metalan- 
guage. 

The range of interpretations for the metalanguage indicated in Section E21 
is restrictive, for example, in requiring V to be cocomplete. As remarked in Q 
there are sensible choices for V which are not cocomplete — the countable sets 
for instance, provided we also restrict the path orders to be countable. 

Perhaps instantiating V to some specific category, can help provide a “presheaf 
model” of a higher-order Pi-Calculus to accompany 0. This would be a good 
basis from which to compare and relate with the project of action structures m 

The metalanguage here cries out for extensions in two directions, one to cope 
with name generation as in the Pi-Calculus, the other to go beyond linearity. The 
exponential ! of inm is appropriate to the latter, but its effects on open-map 
bisimulation are not understood. 

The question of how to approach higher-order independence models remains. 

How to turn the framework on weak bisimulation and contextual equivalence 
is the subject of current work based on a lead by Marcelo Fiore. 

Gian Luca Cattani and I are working on how to understand open-map bisim- 
ulation at higher-order in operational terms p]. 
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Abstract. In this paper, we extend the verification method based on 
the failure semantics of process algebra and the resulting trace theory by 
Dill et al. for bounded delay asynchronous circuits. We define a timed 
conformance relation between trace structures which allows to express 
both safety and responsiveness properties. In our approach, bounded 
delay circuits as well as their real-time properties are modelled by time 
Petri nets. We give an explicit state-exploration algorithm to determine 
whether an implementation conforms to a specification. Since for 10- 
conflict free specifications the conformance relation is transitive, this 
algorithm can be used for hierarchical verification of large asynchronous 
circuits. We describe the implementation of our method and give some 
experimental results which demonstrate its efficiency. 



Keywords: Trace Theory, Time Petri Nets, Failure Analysis, Conformance 
Checking, State Space Exploration, Asynchronous Circuits, Hardware Verifica- 
tion, Delay Analysis, Real Time Systems, Computer Aided Verification 

1 Introduction 

One of the main problems in the design of wafer-scale integrated circuits is 
the distribution of the global clock signal. Difficulties which arise in the design 
of large synchronous circuits are clock skews, clock delay estimation in layout 
design, etc. Therefore, asynchronous processors without a global clock are of in- 
creasing interest. However, asynchronous circuits are difficult to construct since 
the timing analysis often is very complex. Because of this reason, asynchronous 
circuits are usually modelled with a speed independent model, where the gate 
delays are unbounded, or are bounded by an unknown constant. Most of the 
research on design, synthesis, and verification of asynchronous circuits has been 
done under this model. Although the speed independent model is quite power- 
ful, the possibility of unbounded delay can force the designer to add additional 
complexity to the circuit. For example, Muller’s C element |1VIB 59| . defined by 
the truth table in Fig. Da), is implemented by the circuit of Fig. Db). 

This implementation, however, is not correct under the speed independent 
model. Assuming that each gate can have an unbounded delay, there exists a 



A.M. Haeberer (Ed.): AMAST’98, LNCS 1548, pp. 59-^3 1998. 
(c) Springer- Verlag Berlin Heidelberg 1998 
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Fig. 1. Muller’s C element: truth table and gate-level implementation. 



signal transition sequence in which the output illegally goes down before both 
inputs go down (suppose all wires initially have the value 0) : 

at & T Wot cT Wot c[ . 

The reason for this alleged fault is an extremely large delay of the gate 
with output w\. With any well-processed VLSI, such a large delay should be 
impossible. In actual designs, the given circuit can be safely used to implement 
a C element. Thus, the speed independent model sometimes is not appropriate. 
In this paper we use a hounded delay model to model asynchronous circuits, 
where with each gate a lower and upper bound for the delay is associated. 

In |Dil 88| . an efficient verification method for speed independent circuits 
was proposed, which is based on trace theory. The primary advantage of this 
method is the possibility of hierarchical verification, which greatly reduces the 
complexity of the verification procedure. However, this method is only suited for 
verifying safety properties. 

In this paper we adapt Dill’s verification method to the bounded delay model. 
First, we show how trace theory can be extended to handle timed traces as 
well as certain timing requirements. We then describe time Petri nets as an 
appropriate model for asynchronous bounded delay circuits. Subsequently, we 
derive an algorithm to check whether an implementation, consisting of a set of 
modules, meets its specification. Finally, we give some experimental results and 
concluding remarks. 



2 Timed Trace Theory 

Let us briefly describe verification based on trace theory. In this method, the 
specification of a circuit is given as a trace automaton, i.e. a finite automaton 
over an input alphabet I and output alphabet O. The implementation, which is 
supposed to be a set of modules, is given as a set of trace automata, each one 
representing the behavior of its related module. Then, special composition and 
hiding operations on trace automata are defined. The implementation conforms 
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to the specification, if they agree on the input and output alphabets, respectively, 
and the implementation can be safely substituted for the specification in every 
context. This means, that the implementation causes a failure in an environment 
only if the specification also causes a failure in that environment. 

A failure of a module in an environment is an output of the module which 
is not accepted by the environment, or an output of the environment which is 
not accepted by the module. By this definition, conformance can be expanded to 
the following requirements: the implementation should be able to handle every 
input that the specification can handle, and it never produces an output unless 
the specification can produce it. This in turn can be checked by considering the 
mirror of the specification, where all inputs are outputs and vice versa. The 
implementation conforms to the specification iff the result of hiding all internal 
signal transitions in the implementation and composing it with the mirror of the 
specification is failure-free. 

The verification approach proposed here is the timed version of this method, 
where time Petri nets and timed traces are used instead of automata and traces. 
The extension to real-time makes it also possible to verify certain timing prop- 
erties. 

In the rest of this section, we define timed traces and their related notions, 
and the conformance relation between specification and implementation. 

Let W be a set of wires, and let Q denote the set of nonnegative rational 
numbers. For any w G W and t G Q, the tuple {w, t) is called an event. Intuitively, 
(w, f) represents the change of the value of wire w at time t. 

Definition 1 . A (timed) trace x over W is a finite or infinite sequence of events 
X = X1X2 ■ ■ ■, where Xi = (wi,ti), such that the following properties are satisfied: 

— Monotonicity: for all 0 < i < \x\, U < U+i. 

— Progress: if x is infinite, then for every t G Q there exists an index i such 
that ti > t. 

In this definition, \x\ denotes the length of trace x. If |a;| = 0 , then x is the empty 
trace e. For any finite trace x, trace y, and event e, the result of appending e or 
y to a; is denoted by x o e or a; o y, respectively, a: is a prefix of y if y = a; or 
y = a; o z for some trace z. The projection of a trace a; = a;i o 0:2 ° • • • over W 
onto another alphabet W can be defined as usual: 

{ £, if a; = £ 

a;ioy, \i xi = {wi,ti), wi gW 
y else, where y = project {x2 o X30 ■ ■ ■ , W') 



Definition 2 . A module or canonical trace structure is a tuple M = (X, 0 ,T), 
where I is a set of input wires, O is a set of output wires (X P O = ib), and T 
is a set of traces over W = X \J O . 
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The traces of a module can be regarded as the set of all maximal execution 
sequences of some transition system. However, trace structures are insensitive to 
nondeterminism; they can not distinguish between ao(6+c) and (ao6) + (aoc). In 
timed systems, usually the set of traces will be an infinite (or even uncountable) 
set of infinite sequences. 

Now we consider the composition of several modules. Assume we are given 
a set = {Ml, • • • , M„} of modules, where Mk = {Tk, Ok, %), Wk = Tfe U Ok, 
and Oj n Ok = 0. That is, each wire is either an input, output, or both; in 
the latter case we say the wire is internal. Any wire can be an output of at 
most one module, and input of arbitrary many modules. Intuitively, modules 
are composed by soldering wires with the same name together. Output wires of 
one module are connected to input wires of other modules. However, in some 
cases this connection of wires may cause failures in the composed module. 

If M = (I, 0,T), then M without w (M\w) is the module (J', O' ,T'), where 
I' = I — {w}. O' = O — |w} and T' = project{T,J' U O'). Module M allows 
trace x (M ^ x) if there exists some trace y such that a; is a prefix of y and 
project{y, W) G T. Furthermore, for M. = {Mi, ..., M„}, we say that M \= x ii 
Mk 1= X for all k < n. 

Definition 3. A safety failure of M. is any nonempty finite trace x = yo (w,t), 
where w G Ok for some k <n, such that At \ w ^ x, and Mk |= x, but x. 

Intuitively, a safety failure occurs if any module Mk tries to send an output, but 
some other module cannot receive this as internal input. M. is safety failure free, 
if no safety failure can occur, i.e., if every output which may be produced by 
some module can be accepted by all other modules at the same time. Whenever 
a module can change the value on one of its output wires, all modules which 
have this wire connected as internal input must be able to process the signal 
immediately. 

Definition 4. A timing failure ofM. is any nonempty finite trace x = yo{w,t), 
where w G Ik for some k < n, such that At \ w |= x, and Mk ^ x, but there is 
no x' = y o (w' ,t'), where w' Glk, and M.\= x' . 

Intuitively, a timing failure occurs if some module Mk expects an internal input 
from some other module which is not provided in time. At is timing failure free 
if whenever a module requests a signal on one of its internal input wires, there 
exists a module which can produce some signal as output within the required 
time interval. For any set At = {Mi, - ■ ■ , M„} of modules, failure (A4) is the set 
of all safety and timing failures of At. A1 is failure- free if failure(M) = 0. 

Next, we define a conformance relation between a system consisting of a 
set of modules and a specification given as a single module. Consider a set 
Me = {Ml, - - - , M„} of modules, where Mk = {Ik, Ok, Ik), and a module Ms = 
{Is, Os, Is) such that Is = {}Ik — {}Ok and Os Q Module Ms can be 

thought of as an abstract specification of the concrete circuit Me- all external 
inputs of the circuit Me appear as inputs of the specification Ms, and some (but 
not necessarily all) outputs of the circuit Me are visible in the specification Mg. 
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Definition 5. Me conforms to Ms, if for any module Me = {Os, 1 s,T^e), 
whenever {Ms, Me} is failure-free, also Me U {Me} is failure-free. 

In other words, the circuit Me may have a failure in the environment Me only 
if the specification Ms allows a failure in the same context. This conformance 
relation is reflexive and transitive, but not symmetric: The circuit may be failure- 
free even in contexts in which the specification fails. 

A module M is called I/O-confiict free, if for any trace x, and for all events 
6i = {wi, Ti) and Co = {wo, Tq) with Wi and Wo G O it holds that M \= x o Ci 
and M |= xoco implies M ^ xoCiOCo and M |= xocoOCi. Since conflicts between 
inputs and outputs often indicate hazardous situations, specifications usually do 
not contain such conflicts. Thus, henceforth we assume that all specifications are 
1/ 0-conflict free. 

Definition 6. The mirror module M"* of a module M = {X, 0 ,X) is the module 
M™ = ( 0 ,X,T); that is, each input wire in M™ is an output wire of M and 
vice versa. 

For any module M, the set {M,M™} is failure-free. Moreover, the following 
hierarchy lemma holds: 

Lemma 1. Consider three modules Mi, M2 and M3 such that X\ = X2 = X3 
and Oi D O2 = O3. If {Mi,M™} is failure-free and {M2,M^} is failure-free, 
then {Mi,M™} is failure-free. 

Proof. Assume that both {Mi,M™} and {M2,M™} are failure-free, and let 
X = y o (w,t). We have to show that {Mi,M^} is failure-free. The following 
cases have to be considered. 

1. First, assume that w G Oi, Mi ^ x and M™ \w\=x, and show that 
M™ \= X. li w ^ W2, then from W3 C W2, we have w ^ W3. Thus, from 
M^\w 1= X, we have Mff \= x.li w G W2, then w cannot be from X2 = 
since in this case it would be impossible to compose Mi with M™. Hence w 
must be in O2. Assume for contradiction that M2 \w x. Then there must 
be some x' = y' o {w',t') such that x' is an initial part of x, M2 \w' \= y' 
and M2 \w x'. Since Mi \= x and M3 \ w |= x, it follows that Mi |= x' 
and M3 \w \= x'. Since M2 \ w ^ x', we must have w' G W2. If w' G O2, 
then w' G Oi. Since {Mi,M™} is safety failure-free, M2 \ w ^ a;', which is 
a contradiction. Similarly, if w' G X2 = X3 = O™, then since {M2,M™} is 
safety failure-free, a contradiction arises. Thus, M2\w ^ x. Since {Mi, M™} 
is safety failure-free, M™ ^ x, thus M2 ^ x. Since |M2,M™} is safety 
failure-free, w G O2 and M™ \ w ^ a; (hypothesis), we have M™ \= x. 

2. The second case is symmetric to the first case: assume that w G O™ = J3, 
M™ \= X and Mi \ w ^ a:, and show that Mi \= x. To be able to compose Mi 
with M™, the set Oi nO™ = X3 must be empty. If w ^ Ji, then Mi = Mi\w 
and there is nothing to show. It w G Xi, then Xi C X2 gives w G X2 = Otff . 
Similar to the previous case, M2 \w \= x. Since {M2, M™} is safety failure- 
free, we can infer that M2 \= x. Since {Mi,M™} is safety failure-free, it 
follows that Ml 1= X. 
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3. Next, assume that w € I\, Mi \= x and \ w \= x, and show that 

{Mi,M^} \= y o {w' ,t') for some w' G li. Since does not have 

timing failures, there is some (wi,ti) with wi G I\ such that |= 

yo{wi,ti). Since Ji C and {M2, M|"} does not have timing failures, there 
is some (102,^2) with G I2 such that {M2, M™} \= yo{w2, t^). Since 1x2 G 
I2 = O™ and {Mi,M™} does not have safety failures. Mi |= y o {w2,t2)- 

4. Finally, assume that w G I™ = O3, M™ \= x and Mi\w |= x, and show that 

{Ml, M™} \= yo{w' , t') for some w' G O3. Since {M2, M™} is timing failure- 
free, there is some (?ci,ti) such that wi G O3 and {M2,M{"{ |= y o (wi,ti). 
Since O3 C O2 = I™ and {Mi,M™} is timing failure-free, there is some 
{w2,t2) such that 1x2 G O2 and {Mi,M|"} |= y o (w2,t2)- Since {M2,M™} 
is safety failure-free and O2 C O3, we have {Mi,M™} ^ y o (102,^2) as 
desired. □ 

This lemma can be extended to deal with sets of modules instead of a single mod- 
ules. From the hierarchy lemma, the following mirror theorem can be obtained. 
It gives a similar characterization of conformance as in mrsBi: 

Theorem 1. Me eonforms to Ms iff Me U {M™} is failure-free. 

Proof. Assume that MeM{M^} has a failure. Then for the environment Me = 
M™ we have that {Ms, Me} is failure-free, but A4c U {Me} is not failure-free, 
i.e.. Me does not conform to Mg. 

In the other direction, we have to show that failure-freeness of Ale U {M™} 
implies that Me conforms to Mg. Since Ms is a specification for the circuit 
Me, Is = - UfcC>fe and Os C [jf,Ok. If Ale U {M^} is failure-free, 

then the hierarchy lemma asserts that for any module Me such that We = Ws 
and {Ms, Me} is failure-free. Ale U {Me} must also be failure-free. Thus, Ale 
conforms to Mg. □ 

To get an intuitive understanding of the conformance relation, consider the case 
of a single module Me = {fLe,Oe,Te) conforming to Ms = (Xs,Os,7s). This 
amounts to Is = le. Os C Oe, and for all traces x such that {Me, Ms} |= x, 

and all events i = {wi,ti), Wi G Is, and o = (wo,to), Wo G Os, the following 

holds: 

— If Ms 1= a; o i, then Me ^ a; o i, 

— if Me ^ X o o, then Ms ^ x o o, 

— if Ms ^ X o o, then there exists an o' = (w'^,t'^), w'^ G Os such that 
{Ms, Me} ^ X o o', and 

— if Me H 3^0*, then there exists a i' = {w'.i,t'f), w'^ G Is such that {Ms, Me} |= 
X o i' . 

The first and second condition state that {Me, M^} is safety failure-free: 
every input allowed by Mg is allowed by Me, and every output allowed by Me 
is allowed by Mg. The third condition reflects the definition of timing- failure: as 
long as M™ expects an input, that is. Mg requires an output. Me should produce 
some output in time. The fourth condition is similar. If Me is constructed as an 
implementation for the specification Mg, then this can be read as: 
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— The implementation can handle every input that the specification can han- 
dle, 

— the implementation never produces an output unless the specification pro- 
duces it, 

— if the specification requires an output, the implementation produces it in 
time, and 

— the implementation never expects an input unless the specification expects 
the input. 

Therefore, our definition of the conformance relation includes not only safety 
properties, but also a certain timing property. In the case of bounded delay asyn- 
chronous circuits the absence of timing failure amounts to in-time-responsiveness, 
which is an important issue for verification. For example, consider the specifi- 
cation of an or-gate, where input a or 6 lead to output c within a certain time. 
Suppose that this specification is implemented erroneously by an and-gate. Then, 
after sending a to this circuit, it can not produce the output c. However, since 
the specification requires such an output, this situation leads to a timing failure. 

Note that we do not actually compose the modules constituting the imple- 
mentation. Therefore, in our approach it is not necessary to eliminate so-called 
autofailures, which arise from internal communication errors in a composed mod- 
ule. Also we do not have an explicit hiding operation: Failures resulting from the 
effect of hiding variables are transparent to the specification and will also be 
detected during the verification procedure. However, if we consider only safety- 
failures in untimed systems, then our notion of conformance is equivalent to the 
one in |Uil 88| . 

3 Analysis of Time Petri Nets 

In the general setting of the previous section, there was absolutely no restriction 
posed on the set of traces of a module. To be able to give concrete algorithms, 
however, this set should at least be recursive, i.e., generated by some kind of 
automaton. In this section, we consider trace sets generated by one-safe time 
Petri nets jMF 76j . In contrast to timed Petri nets or stochastical Petri nets, 
which are used in simulation for the optimization of processes !T^ , time 
Petri nets have been applied successfully in the verifieation of hard real-time 
constraints. 

One-safe Petri nets can be seen as a subclass of finite automata, where dif- 
ferent parallel activities can be modelled by multiple tokens. Therefore, a Petri 
net model can be much more succinct than the corresponding automaton. Simi- 
larly, time Petri nets can be regarded as a subclass of timed automata Fd~^ . 
Compared with timed automata, the expressive power of time nets with respect 
to certain timing properties is restricted. This restriction, however, simplifies 
the analysis: we can check the conformance relation by a simple state space 
generation algorithm, traversing every state only once in a depth first search 
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Definition 7. A time Petri net N is a six-tuple, N = {P,T, F, Eft, Lft, p,o), 
where 

— P = {pi,P 2 , ■ ■ ■ ,Pm\ is a finite nonempty set o/ places; 

— T = {ti, T 2 , • • • , t„} is a finite set o/ transitions (P HT = %); 

— F C (P X T) U {T X P) is the flow relation; 

-Eft : T^Q, Lft : T ^ Q U { 00 } are functions for the earliest and latest 
firing times of transitions, satisfying Eft^r) < Lft{T) for all t G T; 

^ pi'Q fk P is the initial marking of the net. 

For any transition t, •t = {p G P \ {p,T) G F} and = {p G P \ {r,p) G F} 
denote the preset and the postset of t, respectively. 

In the following we will restrict ourselves to one-safe Petri nets, where each 
place can contain at most one token. Therefore, a marking p. oi N is defined to 
be any subset of P. A transition is enabled in a marking p ii ut C p (all its input 
places have tokens in p); otherwise, it is disabled. Let enabled{p) be the set of 
transitions enabled in p. 

A state cr of a time Petri net is a pair {p, clock), where /i is a marking and clock 
is a function T — > Q. The initial state ao is {po, clocko), where clockoir) = 0 for 
all T G T. 

The states of time Petri nets change, if time passes or if a transition fires. In 
state a = {p, clock), time t G Q can pass, if for all r G enabled(p), clock ( t) -\-t < 
Lftfir). In this case, state a' = {p' , clock') is obtained by passing t from a, if 

1. p = p' , and 

2. for all T G T, clock' ( t) = clock (t) -G t . 

In state cr = {p, clock), transition Tf G T can fire, if r/ G enabled(p), and 
clock{Tf) > Eftfrf). In this case, state a' = {p', clock') is obtained by firing Tf 
from a, if 

1. p' = {p — •Tf) U Tf, and 

2. for all r G T, clock' (t) = | ^ enabled{p'),T ^ enabled{p - ,Tf) 

Intuitively, this can be interpreted as follows: Passing time t does not change 
the marking, but advances all clock values. Firing a transition t/ consumes no 
time, but updates p and clock such that the clock values associated with newly 
enabled transitions (i.e. transitions which are enabled in p' but not in p — •Tf) 
are reset to 0. Clock values of other transitions (i.e. transitions not affected by 
Tf) are left unchanged. 

In contrast to untimed Petri nets, not all enabled transitions may be Arable 
in a given state; certain firing sequences which can occur without timing may 
not be possible in the time Petri net. A run p = ao ^ ai ^ a 2 ^ • of N is 

a finite or infinite sequence of states and transitions such that ao is the initial 
state, and (Ji+i is obtained from ai by passing time and then firing transition 
Ti+i. We write ai{p) for the z-th state of p, and similarly pfip) and clock fip), and 
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omit the argument (p) whenever appropriate. A run is maximal, if it is infinite 
or in its last state there is no enabled transition. The behavior B{N) of N is the 
set of all maximal runs of N. 

Given any run p and t > 0, we define timei{p) to be the sum of all times 
t passed between ao{p) and <Ji{p)', that is, timeo{p) = 0 and timei+i{p) = 
timei{p) + clocki+i{T) — clocki{r) for some t which is not newly enabled in 
pii+i- A state cr is reachable if there exists a finite run whose last state is a. 

Definition 8. A time Petri net is one-safe, if for every state a = (p, clock) 
obtained by passing time from any reachable state a' , and for every transition t 
which can fire in a, t • C\ p, = %. 

The restriction to one-safe nets simplifies the verification algorithm. 

In order to satisfy the progress condition, we assume that time certainly 
passes in any cyclic behavior of N . For example, this requirement is satisfied if 
the sum of earliest firing times of transitions forming any loop in N is positive. 
In the sequel, a net will always be a one-safe time Petri net satisfying the above 
restriction. 

Let wire be a function from a set of transitions to a set of wires. Ev- 
ery maximal run p = ^ a\ ^ • • • of a net N generates the timed trace 

{{wire{T\) , timei{p)), {wire{T 2 ), time 2 {p)), ■ • •)• We also say that a net N repre- 
sents the module consisting of all traces generated by maximal runs of N. 



a 





Fig. 2. Nets specifying AND gate and C element 
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Bounded delay asynchronous circuits can be easily described by nets. For 
example, an and-gate which has inputs a, b and an output wq with gate delay 
[5,10] can be represented by the net shown in Fig.IJa). In this modelling, we do 
not distinguish between the change of a wire from 0 to 1 and from 1 to 0. An 
or-gate can be represented similarly. Even though it would be possible to give 
a more detailled description of gates (e.g., transistor level behavior), for most 
verification purposes the given net is an adequate representation. 

The composition of several gates in a circuit can be described by simply 
putting together all nets representing single gates. Assuming that all wires in 
the circuit have unique names, for each transition the corresponding wire can 
be assigned. Then, the disjoint union of all these nets represents the complete 
circuit. Thus, the implementation of Muller’s C element shown in Fig. mb) can 
be represented by a collection of nets which are similar to the one in Fig. El a). 
This implementation works correctly under the following assumptions: 

1. if an input changes, then the same input never changes again before an 
output changes, and 

2. no input changes before some constant time passes after the change of the 
output. 

The net shown in Fig. El[b) specifies the behavior of a C-element with these 
assumptions. Verification consists in showing that the gate-level representation 
conforms to this specification. This is done by exploring the reachable states of 
the composed net. 

We now describe an algorithm to generate these reachable states of time 
Petri nets. Since for time Petri nets the time domain consists of rational (not 
real) numbers, the state space can be finitely represented by sets of systems of 
inequalities. Basically, we use a system of inequalities to represent a number of 
different clock functions of time Petri nets. By an inequality we mean any string 
of the form “a: — y ~ c”, where x and y are from a designated set of variables, 
c G Q and ~ is a relation symbol from {<,>}. If / is a set of inequalities, then 
var{I) denotes the set of variables that / contains; we say that / is a set of 
inequalities over var(I). Let / be a set of inequalities over {a;i,a; 2 , • • • ,Xm}- A 
feasible vector for / is a tuple (ci, C 2 , • • • , Cm) of constants Ci G Q, such that every 
inequality obtained by replacing every Xi hy Ci (1 < i < m) in any inequality 
from / holds in the theory of rational numbers. The solution set of I is the set 
of feasible vectors for I . A set of inequalities is consistent if its solution set is 
nonempty. Two sets of inequalities are isomorphic, if they have the same solution 
set. 

If the net N = {P,T,F,Eft,Lft,yP) represents the module M = {I,0,T), 
we denote this by M = (1,0, N, wire). An abstract state of the net is a pair 
(fi, I), where y, Q P and / is a set of inequalities. Each abstract state denotes an 
equivalence class of reachable states of the net, namely all states for which the 
clock values form a feasible vector in the solution set of /. The initial abstract 
state of N is (y^,Io), where /q = {“Eft(T) < t — v < Lft(T)” \ r G enabled(y^)}. 
Here, r in Iq is a variable to represent the next firing time of the transition r. 
The variable v indicates the initial time point. 



Verification of Bounded Delay Asynchronous Circuits with Timed Traces 



69 



The next step is to compute the set of abstract successor states a' of an 
abstract state a of N . To this end we need the notion of deletion of a set U of 
variables from a set I of inequalities. For every such / and U there exists an (up to 
isomorphism) unique set I' = delete{I ,U) of inequalities over var(I) — U, such 
that the solution set of /' is equal to the solution set of I, projected on var{I) — U. 
For example, if / = {“y - a: > 2”, “y - x < 7”, “y - z < 3”, “z-y< 11”}, then 
delete{I, {y}) = {“x — z < 1”, “z — x < 18”}. I' can be computed incrementally 
by a shortest path algorithm in time 0{\var{I)\‘^) [Hok 931 IShi 94| . 

Let a = (^,/) be an abstract state of N, and r/ S enabled{y). Then, 
firstly,, Tf) = {“t — Tj: > 0”| r G enabled{y)} is a set of inequalities describ- 
ing that Tf is the first transition which fires in y. firable{a) = {xf \ tj G 
enabled(y), I U firstly, tj) is consistent} is the set of transitions that can fire 
earlier than all other transitions in the given marking. 

— T/ is a transition in firable{a). 

— y' is the marking of N obtained by firing transition Tf. 

That is, y' = {y — •Tf) U r/ • . 

— i? is a set of newly enabled transitions obtained by the firing of Tf . That is, 
R = enabled(y') — enabled{y — 9Tf) . 

— J= {“r - > if#(r)”| r G i?} U {“r - < L/t(r)” \ tGR}. 

— J' = / U first{y, Tout) U J. 

— I? = {r I r made some transition r' enabled, and r' is still enabled in y'}. 

— /' = delete{Js, {t\t^ enabled(y')} — D) 

Intuitively, J, J' , D and I' can be read as follows: J relates the variables of newly 
enabled transitions to the variable of the fired transition Tout- J' is the union 
of J, J, and a set of inequalities representing that Tout fires earlier than others. 
Transitions related to variables in D are currently parents of enabled transitions 
in y' , and these variables are necessary to check the coverability between the 
firing domains of transitions. Finally, in I' the variables of disabled transitions 
except for those in D are deleted. We write cr a' if a' = (^', V) is a successor 
of the abstract state a = (y,I) with respect to Tf. 

We now describe how conformance can be checked, using this successor rela- 
tion between abstract states. We consider a set • • • ,M„} of modules, 

where Mj = (Tj, Oi, Ni, wiret), Ni = {Pi, R, EfU, LfU, y°), and assume that for 
i j, Pi n Pj =Tif] Tj = Pi r\Tj = ^. Some module in the set is a mirror of a 
specification, and input transitions and output transitions must not be in conflict 
in the module. If there is no confusion, we use the notation wire instead of wirei, 
and r G Mi, when r G R. Let m(r) be the module number of r, i.e., m(T) = i, if 
T G Mi. Transition r is called an output transition if wirem{T){T) G C>m(r)j and an 
input transition if wirem{T){T) G Irn^T)- If o'i = {y-ith), i ^n, are abstract states 
of the nets Ni, and iL is a set of inequalities, we say that s = (cro, ■ • • , K) is 
an abstract state of the module set {Mq, Mi, • • • , M„}. 
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The initial abstract state is sq = (ctq, • • • , ct°, 0). We extend the definitions of 
enabled{^x) and firable(a) with respect to s = (ao, ■ ■ ■ , an, K) as follows. 

enabled{s) = {r | r G enabled{^na{T))} ^ and 



n 

globally -fir able{s) = {r | r G enabled{s), first{s,T)U liUK is consistent}, 

i=0 

where first{s, t) = {“t — t' < 0” | r' G enabled(s)} . Furthermore, for an output 
transition tq such that tq G globally -firable(s) , 

sync-trans{To, s) = {r | wire^r) = wire{To),T G globally -firable{s)}. 



When {Mo, Mi, • • • , M„| is at s = (cto, • • • , cr„, K), it moves to s' = (a'g, • • • , cr^, 
K') with respect to tq G globally-/ irable(s) by firing all transitions in 
sync-trans{To , s). 

— for 1 < i < n 

• if T G sync-trans{To, s) H Tj, then Oi — > cr', and 

• if sync-trans{To , s)C\Ti = 0, then a' = ai. 

— iG' = iy u (“r = r'” I T, r' G sync-trans{To,s)}. 

Let s s' denote this state transition relation of the module set. For any tran- 
sition r and abstract state cr, the variable parent{r, a) indicates which transition 
enabled r. Formally, if cr = (g,I), a' = {y! ,1'), a a' , and r' G enabled{a'), 
then 



parentfr' ,a') = 



( T, if t' G enabled{y!) — enabled{y — •t) 

{ parentfr' , cr) , otherwise. 



For a set / of inequalities, let earlier{x, y, I) be the predicate expressing that 
solution{{ “x > y”}U/) = 0, i.e., earlier{x, y, I) holds iff a; < y for every solution 
vector of I. We write earlier{x,y,ai) for earlier{x,y,Ii), where ai = {yi,Ii), 
and earlier {x, y, s) for earlier {x, y, UILo ^)> where s = (erg, • • • , cr„, K). Let 

T G Mi, ai = {yi,Ii), and r G enabled(s). 

— earliest-firing Jime{s,T) = parent{r, ai) + Eft^r), and 

— latest-f iring -timers , r) = parent{r, ai) + Lft{r). 

A state s = (erg, • • • , cr„, K) is called safe, if for every output transition tq 
such that To G globally-/ irable{s), and for every module Mj(0 < j < n) such 
that wire (to) G Tj, there exists an input transition t/ such that wire{Ti) = 
wire{To),Ti G enabled(s), earlier {earliest -f iring-time{s,Ti),To, s) holds, and 
either 



1. earlier{To,latest-firing-time{s,Ti),s), or 

2. for some output transition r such that t G enabled{s), 
earlier{T, latest-f iring -time{s , tj), s). 
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A state s = (<jo, ■ ■ ■ ,an, K) is called live, if for every input transition tj such 
that T/ € globally -fir able{s), there exists an output transition r (of an arbitrary 
module) such that t C globally -firable{s). 

Let modules Mi, • • • , M„ be represented by nets A^i, • • • , Nn- A safety fail- 
ure corresponds to a non-safe state in the reachable state space, and a tim- 
ing failure occurs if a state can be reached which is not live. In other words, 
failure{Mi, M 2 , ■ ■ ■ , Mn) is empty, iff every state which is reachable from the 
initial state of {Ni,---,Nn) is both safe and live. Therefore, the verification 
of conformance between modules can be done by traversing the state space of 
{Ni, ■ ■ ■ , Nn) and checking if non-safe or non- live states are reachable. 

Furthermore, it is possible to replace an abstract description of a module by a 
more concrete implementation. If {Mi, • • • , M^-i, Mk, M^+i, ■ ■ ■ , M„} conforms 
to Ms, {Mfej, ...,Mfe^} conforms to Mu, and ~ Wk) n = 

0, then (Ml, • • • , Mk-i,Mk ^, ..., Mk^, Mk+i, • • • , M„} conforms to Ms- The set 
of wires in a specification usually is much smaller than the set of wires in 
the implementation. Thus, the total computation cost to determine whether 
{Mi,---,Mfc_i,Mfe,Mfe+i,---,M„} conforms to Ms and {Mfc^, • • • , M^^} con- 
forms to Mk is significantly smaller than the computation of whether 
{Ml, • • • ,Mfc_i,Mfej, • • • ,Mfc„,Mfc+i, • • ■ ,Mn} conforms to Mg. This is the pri- 
mary advantage of hierarchical verification. 



4 Experimental Results 

We have implemented the algorithm shown in the previous section on a UNIX 
workstation in C-|— 1-. In this section, we present some experimental verification 
results. 

First, our verifier shows that the implementation in Fig.^b) is correct with 
respect to the specification in Fig. 0(b) after traversing 51 states, which takes 
about one second on a 17 MIPS workstation. 




Fig. 3. An automatic sweeping module, gate level implementation, and specifi- 
cation 
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The second example is a control circuit of the request-acknowledgement hand- 
shake mechanism for asynchronous circuits. This circuit called an automatic 
sweeping module (ASM, for short) has two inputs (a primary request pr, a sec- 
ondary acknowledgement so) and two outputs (a primary acknowledgement pa, 
a secondary request sr) (Fig. Ela)). It has the following functionality: 

1. When the primary request goes high with the secondary acknowledgement 
low, ASM sets the secondary request. 

2. When the secondary acknowledgement becomes high, ASM resets the sec- 
ondary request with setting the primary acknowledgement. 

3. When the primary request becomes low, ASM resets the primary acknowl- 
edgement. 

This functionality with almost the same assumptions as for the C-element is 
specified with a net as shown in Fig. OKc). On the other hand. Fig. 0(b) was 
proposed as the gate level implementation of ASM. We assume that each gate 
has a delay [5,10]. 

Our verifier shows that this implementation is correct with respect to the 
specification in Fig. 0(c). In Table 0, the column flat shows the size of the nets, 
the number of states, and CPU times needed for this verification when C elements 
are expanded by using their gate level implementations shown in Fig. 0 The 
column hierarchical shows the results of the hierarchical verification. That is, 
the specification net shown in Fig. H(b) is used for the verification of ASM. 
In this case, the total verification time is the sum of the verification times for 
both ASM and C-element. These results show the advantage of the hierarchical 
verification as well. 



Table 1. Results of verification 





flat 


hierarchical 




size^ 


states 


CPU time (s) 


size^ 


states 


CPU time (s) 


C-element 


— 


— 


— 


p:30, t:34 


51 


1.3 


ASM 


p:78, t:90 


391 


81.8 


p:34, t:34 


58 


1.2 


Total 


p:78, t:90 


391 


81.8 


p:64, t:68 


109 


2.5 



I : “p:” and “t:” represent the numbers of places and transitions, respectively. 



5 Conclusion 

In this paper, we have extended the trace theoretic verification method for speed- 
independent asynchronous circuits to handle bounded delay asynchronous cir- 
cuits. Our method is based on timed traces, and can check (timed) safety proper- 
ties as well as responsiveness properties. It also inherits from the original method 
the possibility of hierarchical verification. 

We use time Petri nets to describe both specification and implementation. 
Time Petri nets are a natural extension of ordinary Petri nets, which are widely 
used in conventional verification methods. In this formalism, both (timed) prop- 
erties and bounded delay asynchronous circuits can be described. We have de- 
veloped a decision algorithm to check whether an implementation is correct with 
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respect to its specification. It is based on state space traversal of a set of time 
Petri nets, and checking if any failure states are reachable. 

First experimental results show that hierarchical verification works extremely 
well. Nevertheless, the increase of the number of modules can have a bad in- 
fluence on the verification time. In the future we want to apply partial order 
analysis techniques lYY HtiL lYS 971 IBM 981 to our method. This could help to 
further reduce the average complexity of the verification. 
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Abstract. We define a value-based modal /r-calculus, built from first- 
order formulas, modalities, and fixed point operators parameterized by 
data variables, which allows to express temporal properties involving 
data. We interpret this logic over /tCrl terms defined by linear process 
equations. The satisfaction of a temporal formula by a /tCrl term is 
translated to the satisfaction of a hrst-order formula containing parame- 
terized fixed point operators. We provide proof rules for these fixed point 
operators and show their applicability on various examples. 



1 Introduction 

In recent years we have applied process algebra in numerous settings EECa. 
The first lesson we learned is that process algebra pur sang is not very handy, 
and we need an extension with data. This led to the language /iCRL {micro 
Common Representation Language) |13|. The next observation was that it is 
very convenient to eliminate the parallel operator from a process description 
and reduce it to a very restricted form, which we call a linear process equation or 
linear process operator 0 . Such an elimination can be done automatically m 
and generally yields a compact result, of the same size as the original system 
description. For proving equations of the form sped fication= implementation, a 
proof methodology has been developed in and has been applied to numerous 
examples (see e.g. mnm) that all have infinite or unbounded state spaces. 

An obvious question that has not been addressed thus far is whether the 
linear process format can also be employed in proving temporal logic formulas. 
In this paper we provide a way of doing so that roughly goes as follows. First, 
we extend the modal /i-calculus m to express properties about data, meaning 
that we include boolean expressions on data variables, parameterization of ac- 
tions contained in the modalities, quantification over data, and parameterization 

* This work has been funded by the grant no. 97-09 of the Ercim fellowship programme 
for collaboration between Inria and Cwi. 
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of minimal and maximal fixed point operators. A typical example of temporal 
property expressed in this logic is 

(n:N).3m:N. (a(m + n)) Y {m + n)) (2) 

describing the states from which an infinite sequence of actions a(fo)a(*i)o(z 2 ) • ■ • 
can be performed, where 2 < ig < ii < i 2 ■ Another example of formula is 

Vz:N.[a(z)](z > n) 

stating that whenever an a{i) action can be performed, i must be larger than n. 

The second step is to prove that a given linear process satisfies such a tempo- 
ral formula. To achieve this, we first transform both the process and the tempo- 
ral formula into a first-order fixed point formula. This approach is similar to the 
model-checking algorithms in mm, where a formula of standard /i-calculus 
(i.e., without data) and a finite state automaton are combined to form a set of 
fixed point boolean equations, which can be solved in linear time, provided the 
formula is alternation-free. In our setting, this transformation applies to the full 
logic (formulas of arbitrary alternation depth), is purely syntactical, and in many 
cases can be carried out by hand, as both the linear process and the temporal 
formula are generally quite small. 

In order to solve the first-order fixed point formulas obtained in this way, we 
use the standard proof rules for connectives and quantifiers, and we introduce 
a set of proof rules for fixed point operators allowing to approximate (towards 
either satisfaction, or refutation) the fixed point (sub)formulas. If the initial state 
of the process satisfies an approximation of a maximal fixed point formula, we 
know that it satisfies the maximal fixed point too. The approximation of minimal 
fixed points captures the fact that the property expressed by a minimal fixed 
point formula must be reached in a finite number of steps. These rules reflect 
the proof principles for safety and liveness properties discussed in mi. 

We included a simple example and a slightly more elaborate one, in order 
to show how the proof method that we propose can be used. We have also suc- 
cessfully applied the method to verify a distributed summing protocol la, but 
due to space limitations we have not included it in this paper. All these exam- 
ples are quite promising, as they show that our method leads to straightforward 
arguments of validity of the temporal formulas. 

Other approaches to prove temporal properties involving data that we are 
aware of [1 1)^7) use tableau-based methods, often directed towards decomposing 
the property over the system. The approach we adopt here is different, being 
intended to facilitate manual verification in the natural deduction style (see 
also mi). Since the linear processes obtained from /tCrl specifications are gen- 
erally small, we expect a good applicability of our method to various examples. 

The paper is organized as follows. Section El defines the linear ^Crl pro- 
cesses and their models. SectionEI gives the syntax and semantics of the extended 
/r-calculus that we propose, together with examples of temporal properties. Sec- 
tion^presents the verification method, i.e., the translation into first-order fixed 
point formulas and the proof rules for extremal fixed points. Finally, Section 0 
shows the application of this method on an infinite-state linear /tCrl process. 
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2 Preliminaries 

We define below the notions of data expression, linear process, and labeled tran- 
sition system (Lts), over which the temporal logic formulas will be interpreted. 

2.1 Expressions 

The set Exp of data expressions is defined over a set D Var of data variables and 
a set Func of funetions. Each data variable x G DVar has a type D and each 
function / G Func has a profile Di x ■ ■ ■ x Dn D, where are 

the argument types of / and D is its result type. We write Val for the domain 
containing all the values belonging to the types D. The expressions e G Exp are 
defined by the following grammar: 

e::=x\ /(d, . . . ,e„) 

The set of variables occurring in an expression e is noted var(e). 

We define the domain DEnv = F Var —> Val of data environments. A data 
environment e G DEnv is a partial function mapping data variables into values 
of their corresponding types. The support of an environment e, noted supp{e), 
denotes the set of variables that are assigned a value in Val by e. An environment 
mapping the variables xi, . . . ,Xn respectively to the values v\, . . . ,Vn is noted 
[vi/xi,... ^Vn/xn]. The environment having an empty support is noted [ ]. The 
overriding of e by [vi/ x\, . . . , Vnjxn] is the data environment defined as follows: 
(e[ui/xi, . . . , Vn/ Xn]){x) = if 3i G [1, n].x = Xi then Vi else e{x). 

The semantics of data expressions is given by the interpretation function 
|.] : Exp — > DEnv — > Val, defined inductively below. For an expression e and 
a data environment e such that var(e) C supp{e), |e] e denotes the value of e in 
the context of e: 

|a;l £ e{x) 

|/(ei, . . . , e„)l £ /(|ei] £,..., |e„l £) 

We assume that the domain Bool = {tt,ff} of boolean values is predefined, 
together with the usual operations A, V, and Boolean expressions are 
denoted by the symbol b. 

2.2 Linear Processes 

Linear processes share with Ltss the advantage of being a simple, straightfor- 
ward notation, suitable for further analysis of processes in either automatic or 
manual form. But they do not share the most important disadvantage, namely 
the exponential blow-up caused by the parallel operator (see |S|). As we are in- 
terested in devising analysis methods for realistic distributed systems, it is clear 
that Ltss are not satisfactory. Therefore, we use the linear processes, of which 
we give a definition below. 

Let Act be a set of actions, which may be parameterized by data values. 
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Definition 1. Let Act C Act U {t} he a finite set of actions and D, Da, Ea 
be data types. A linear process over Act and D is defined hy an equation of the 
following form: 



X{x\D)= ^ ^ a{ea)-X{e'a) <bai> 5 

a^Act Xa'-Ea 

where x is a parameter of type D, and for each action a € Act, Xa is a variable 
of type Ea, €a and are expressions of type Da and D, respectively, and ba 
is an expression of type Bool, such that var{ea) U var{e'a) U var{ba) C {x,Xa}. 
The constant S, called deadlock, cannot perform any action. The initial state of 
process X may be specified by giving an initial value vo G D for x. 

A linear process expression must be read as follows. If a process is in state 
X, then it can perform actions o(ea) provided a value of Xa in Ea can be found 
such that ba holds. In such a case, the process ends up in a state ejj. 

For simplicity, we allow at most one data parameter for any action a G Act 
(we assume that r has a dummy parameter) and for each linear process X. 
Using pairing and projection, the formalization can be straightforwardly used 
with multiple parameters. 

2.3 Transition Systems 

We consider a linear /tCrl process X as in Definition ^ According to the oper- 
ational semantics of ^Crl m, the transition system modeling a linear process 
is defined as follows. 

Definition 2. The transition system of a linear process is a quadruple M = 
(S', L, — !■, so)> where: 

— S {A(u) I V G D} is the set o/ states; 

— L {a(t>a) I a G Act AVaG Da} is the set o/ labels; 

> {-^(^') X{v') I a G Act A3Va G Ea.{{ha\[v /x,Va/Xa] A v'a = 

|ea] [v / x,Va/ Xa] A v' = |e(j] [v / x,Va! Xa\)} is the transition relation; 

— So '=^ Ai(uo) G S is the initial state. 

The definition of the initial state of the process is not mandatory, unless there 
are properties of X that must be explicitly verified on X{vq). 



3 Temporal Logic 

The logic we consider is based upon an extension of the modal ;r-calculus HE! 
with data variables, quantifiers, and parameterization, in order to express prop- 
erties involving data. Other similar value-based formalisms extending the modal 
/r-calculus have been used in the framework of symbolic transition systems m 
and of the polyadic 7r-calculus 0. 
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The logic we propose here contains a set AForm of action formulas and a 
set SForm of state formulas, whose syntax and semantics are defined below. To 
simplify the notations, we implicitly consider throughout this section a transition 
system M = (S, L, —>■, sq), over which the formulas are interpreted. 

The action formulas a G AForm are defined by the following grammar: 

a ::= a(e) | tt \ | oi A «2 | ^y'D.a 



where a G Act, e G Exp, and y G DVar is a data variable of type D. The usual 
derived operators are also allowed: ff = ^tt, «i V 02 = A ^ 02 ), oc\ 

«2 = V 02 , yy.D.a = ~^3y:D.^a. Data variables are bound by quantifiers in 
the usual way. The set of free data variables of a formula a is noted fdv{a) . 

The semantics of action formulas is given by the interpretation function |.] : 
AForm — > DEnv — > 2^, defined inductively below. Given an action formula a 
and a data environment e such that fdv{a) C supp{e), |o] e denotes the set of 
labels satisfying a in the context of e: 



Ia(e)l£"=^'{a(Ie]e)} 

Ms = i 

|oi A 02! £ [ai] e n 102] e 

[3y.D.a\ e U„6 d H v] ■ 

The state formulas y G SForm, built over the set AForm and over a set PVar 
of propositional variables, are defined by the following grammar: 



y::=b\Y (e) | ^(^ | (^1 A (^2 | (a) I 3y:D.y \ (y,Y {y.D).y) (e) 

where b G Exp is a boolean expression, Y G PVar is a (parameterized) propo- 
sitional variable, a. G AForm is an action formula and y G DVar is a data 
variable of type D. Besides the usual derived connectives, we also define the 
box modal operator [a\y = —• {a) and the maximal fixed point operator 
{iyY{y:D).y){e) = -^{yY{y:D).^y[-^Y/Y]){e), where y[-^Y/Y] denotes the syn- 
tactic substitution of Y by —Y in y. In the sequel, we let cr range over {y, v}. 

Data variables are bound by quantifiers and by parameterization, and propo- 
sitional variables are bound by fixed point operators, in the usual way. The sets 
of free data variables and free propositional variables of y are noted fdv{y) and 
fpv{y), respectively. A formula y is said closed if fdv{y) = 0 and fpv{y) = 0. 

We assume that state formulas are syntactically monotonic, i.e., for each for- 
mula {aY {y.D).y)(e), every free occurrence oiY vciy falls under an even number 
of negations. This enables to convert any formula y in Positive Normal Form 
(Pnf for short) by pushing the negations downwards to its atomic subformulas 
and (if necessary) by a-converting it such that there is no variable Y having 
both free and bound occurrences in y. In the sequel, we consider only closed 
state formulas in Pnf. 
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We define the domain PEnv = PVar (Val ^ 2‘®) of propositional envi- 
ronments. A propositional environment p S PEnv is a partial function mapping 
propositional variables to functions from the domains of their parameters to sets 
of transition system states. The support, bracketed notation, and overriding of 
propositional environments are defined in the same way as for data environments. 

The semantics of state formulas is given by the interpretation function |.] : 
SForm — > PEnv — > DEnv ^ 2‘®, defined inductively below. For a state formula 
ip, a propositional environment p, and a data environment e such that fpv{ip) C 
supp{p) and fdv{(p) C supp{e), |(^] pe denotes the set of states satisfying <p in the 
context of p and e: 

|6] pe if |6] £ then S else 0 
lr(e)lp£"='(p(r))(Iel£) 

{(fi A (f 2 j pe ='" Ipij pe n lip 2 j pe 

1(a) ip\ pe |Al(r)) G S \ 3v' G D.3a G Act.3va G Da- 

X(v) Ai(v') A a(va) G |a] £ AX(v') G |v?l p£} 
l3y:D.ifj pe {A(r;) eS\3v e D.X{v) G M p{e[v'/y])} 
[{pY{y:D).<p){e)] pe {p<Pp,){le\ e) 

where the functional : {D 2^) ^ (D — > 2'®), associated to the formula 
pY{y:D).(f, is defined as <Ppe = XF:D — > 2^.Xv:D. |(/3] (p[F/Y]){e[v/y]). 

It is straightforward to check that, for state formulas in Pnf, every functional 
Fpg associated to a fixed point (sub)formula is monotonic over D ^ 2^ . Since the 
underlying lattices D — > 2'® are complete, it follows from Tarski’s theorem izq 
that every functional has a unique minimal fixed point pd^pg and a unique 
maximal fixed point vFpg. 



3.1 Example 

We describe a simple infinite state process, together with some temporal proper- 
ties, in order to illustrate the techniques presented in here. In Section f4.,'il we will 
translate the temporal formulas and in Section El we will prove the validity of 
the first-order fixed point formulas that we have obtained this way. The example 
is given by the following linear process equation, describing a slot machine: 

A(ri:N, 6:Bool) = s • A(ri -|- 1, ^6) o ~^b > (5 -I- 

• X{v — m, ~^b) <ibAm<vt>6 

The parameters v and b denote the current amount of money and the current 
state of the machine, respectively. When b equals ff, a user can activate the 
machine by inserting a coin (action s); afterwards, b becomes tt and the machine 
will deliver the money m won by the user (action w{m)). The initial state of the 
system is X{vo,ff), for some fixed uq > 0. (Actually, the linear process above 
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allows a user to collect any amount of money he wants, but for the sake of the 
example we do not complicate the slot machine in order to avoid this.) 

We are interested in the temporal properties below. 

1. A basic liveness property is that, for any amount of money I G N, the machine 
can potentially deliver it to a user: 

(fix = ^Y. {w{l)) tt V (tt) Y 

2. A stronger liveness property would be that, for any amount of money I G N, 
the machine must eventually deliver it: 

<f2 '=^ ^YY. {tt) tt A [^w(?)] Y 

3. A basic safety property is that every I G N won in a w{l) action cannot 
exceed the initial amount of money vg of the machine, updated with the p 
and r money that have been inserted and won by users since the initial state 
of the system, respectively: 

‘P 3 (iyY(p,r:N).Vl:N. [w(l)] (I < vo+p-rAY(p, r+l))A[s] Y(p+1, r)) (0, 0) . 
Clearly, pi and ps are valid for X, but p 2 does not hold. 



4 Verification 

The verification problem consists to check whether a transition system M (given 
by a linear /tCrl process) satisfies a given temporal formula p. Two different 
cases are usually distinguished: global verification, consisting to decide if all the 
states of M satisfy ip, and local verification, consisting to decide if one particular 
state (e.g., the initial state sq) of M satisfies p. Both instances of the problem can 
be reduced to the satisfaction of a first-order fixed point formula. First we define 
the language of first-order fixed point formulas, next we describe the translation 
of a model M and a state formula p into a first-order fixed point formula, and 
finally we provide sound proof rules for reasoning about fixed point operators. 

4.1 First-Order Fixed Point Formulas 

We define the syntax and semantics of the set BForm of first-order fixed point 
formulas, which will be used as an intermediate formalism for verification pur- 
poses. The formulas if G BForm, built over a set B Var of boolean variables, are 
defined by the following grammar: 

-tjj ::=b\ Z{e) | -•V' | V'l A V '2 | 3z:D.fii \ [pZ{z:D).fii){e) 

where b G Exp is a boolean expression and Z G BVar is a (parameterized) 
boolean variable. The derived boolean, first-order, modal, and fixed point oper- 
ators are defined as usual. The data and boolean variables are bound in a manner 
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similar to the state formulas ip. The sets of free data variables and free boolean 
variables of tp are noted fdv{tp) and fbv{tp), respectively. For simplicity, we use 
only one data parameter in first-order fixed point formulas; the formalization 
could be easily extended to allow multiple parameters. In the same way as for 
state formulas, we consider here only closed first-order fixed point formulas that 
have been translated in Pnf. 

We introduce the domain BEnv = BVar (Val ^ Bool) of boolean en- 
vironments. A boolean environment rj G BEnv is a partial function mapping 
boolean variables to predicates over the domains of the data parameters. The 
support, bracketed notation, and overriding of boolean environments are defined 
in the same way as for propositional environments. 

The semantics of first-order fixed point formulas is given by the interpretation 
function |.] : BForm BEnv — > DEnv ^ Bool, defined inductively below. 
For a formula ip, a boolean environment rj, and a data environment e such that 
fbv(pp) C supp(ji) and fdv^tp) C supp{e), |^/>] rje denotes the truth value of ip in 
the context of r] and e: 



Mve=Me 

lZ{e)\pe^^' {p{Z)){{e}e) 

\ipi A ^^2] ??£ hPij r]£ A I1P2I r]£ 
pz:Z 3 .' 0 ] r]£ e D. p] rj{£[v/z]) 

[{pZ{z:D).ip){e)] ??£ =' ilej e) 

where the functional : {D Bool) ^ (D — + Bool), associated to the for- 
mula pZ{z:D).ip, is defined as = XG:D Bool.Au:Z3. |i/;] {r][G / Z]){e[v / z\). 

The functionals associated to the first-order fixed point formulas being 
monotonic, and the underlying lattices D Bool being complete, it follows 

from Tarski’s theorem that each functional has a unique minimal fixed point 

fj.di'rie and a unique maximal fixed point v'Fr^e- 



4.2 Transformation of the Verification Problem 

Consider the following linear /tCrl process: 

X{x:D)= ^ ^ a{ea)-X{e'^)<ibat>d 

a^Act Xa'Ea 

As we precised in Section 12. .4 the states of the corresponding transition system 
are identified with terms X{v), where v G D. We assume that the data variables 
used in the temporal formulas are disjoint from those used in the linear process. 

According to the interpretation of state formulas, a state X{v) satisfies a 
formula p in the context of a propositional environment p and of a data envi- 
ronment e if and only if X{v) G p] pe. As we will show, this is equivalent to 
the fact that a first-order fixed point formula Tr(</ 3) is true in the context of 
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a boolean environment Tr(p) and of e[v/x\, where the translations TR((p) and 
Tr(p), which take the process X as an implicit parameter, are defined below. 

Given p G PEnv, the boolean environment Tr(p), whose support is given 
by smpp(Tr(p)) = {ZY{x:D,y.D') \ Y{y:D') G supp{p)}, is defined as follows: 

(TR(p))(Zy) Xv:D,v':D'.{X{v) G {p{Y)){v')) 

for each Zy G supp{TR{p)). 

Given p G SForm, the translation TR((p) is defined inductively below: 



YR{Y{e))^^^ Zy{x,e) 

Hp>f 

Tr((^i a P2 ) = Tr((Pi) a Tr((^2) 

TR((a) p) \! a^A^P^Xa-.Ea.{ha A (o(ea) h «) A TR{p)[e'^/x\) 
TR{3y.D'.p) = 3y.D'.TR{p) 

TR{{pY{y:D').p){e)) {yZY{xY:D,y:D').TR{p)[xY /x]){x, e) 



where the predicate o(ea) H expressing that an action a(ca) satisfies an action 
formula a G AForm, is defined inductively as follows: 

a(ea) 1= o'(e') o = a' A Ca = e' 
o(ea) H 

a{eo) h ^(a(ca) |= a) 

a{ea) \= ai Aa2 (a(ea) h «i) (a(ea) h “ 2 ) 
a{ea) h ^y-D.a 3y:D.{a{ea) |= a). 



The following lemma states some auxiliary technical properties necessary for 
showing the correctness of the Tr((/j) translation. 

Lemma 1. The following properties hold: 

1. For all a G Act, Ca G Exp, a G AForm, and e G DEnv such that var(ea) U 
fdv{a) C supp{e): 

|a(ea) \=aje= (a(|eal e) G {aj e). 

2. For all a G Act and p G SForm: 

fdv{TR{p)) C (fdv{p) U {a;}) \ {xa}. 

3. For all ip G BForm, e G Exp, x G DVar, p G BEnv, and e G DEnv such 
that var{e) U fdv(pp) C supp{e): 



lf[e/x\l pe = fip] p{e[le] e/x\). 
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Proof. Straightforward, by structural induction on a (property 1), on tp (prop- 
erty 2), and on ip (property 3). 

The following proposition expresses the relation between a linear process X , 
a state formula </?, and the corresponding first-order fixed point formula Tr((/?) 
obtained after translation. 

Proposition 1. Let X{x:D) be a linear process as defined above and let p be 
a state formula. Then, for any p € PEnv and e € DEnv such that fpv{p) C 
supp{p) and fdv{p) C supp{e): 

lp]pe= {X(u) e 5 I |Tr((/j)] TR(p)(£[u/a;])}. 

Proof. By structural induction on p, using Lemma E 

Using the result above, we can now restate the verification problem of a closed 
state formula by a linear process X in terms of the satisfaction of a first-order 
fixed point formula Tr(<p). The global model-checking problem, consisting to 
verify that the formula is satisfied by every state of the process, becomes: 

yv:D.{X{v) G |:p] [ ][ ]) ^ by Proposition^ 

Wv-.D. |Tr((^)] Tr([ ])([ ][u/a;]) ^ by definition of Tr(p) 

\/v.D. |Tr((^)] [ ][v/x] ^ by definition of |.J pe 

iyx-.D.TK{p)}[][]. 

(Note that we can use empty environments whenever the formulas are closed 
w.r.t. the corresponding variables.) The local model-checking problem, consisting 
to verify that the formula is satisfied by the initial state of the process, becomes: 

X(uo) G |:/3] [ ] [ ] <-> by Proposition [0 

|Tr((/j)] Tr([ ])([ ][vo/x\) ^ by definition of Tr(p) 

|Tr((/j)] [ ][uo/a:] ^ by definition of |.] pe 

px-.D.{x = Vo) Tr((/5)1 [ ][ ]. 

Using the standard proof rules for first-order logic, together with the rules for 
minimal and maximal fixed point operators that will be given in Section 14.41 
we have the basic tools available for proving the first-order fixed point formulas 
above. 

4.3 Example (Continued) 

We continue the example from Section 13. 11 by giving the translations of the 
formulas p\, p 2 , and po. So, to establish the validity of these formulas we must 
prove, respectively: 

1. (^pZ{v:N, 6:Bool).(6 A I < v)\/ (^5 A Z(v+1, ~^b)) V 3m:N.(6 A m < vAZ{v — 
m,^b))){v,b); 
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2. {v:N, 5:Bool).(^6 ^ Z{v + 1 , ^b)) A Vm:N.((6 Am<vAm^l)^ 
Z{v - m,^b))){v,b)- 

3. {yZ{p, r, i;:N, 6:Bool).V^, m:N.((6 Am<vAm = l)^{l<vo+p — rA 
Z{p,r + l,v — m, -^b))) A {^b ^ Z{p + l,r,v + 1 , ^6)))(0, 0, v, b). 



4.4 Proof Rules 



As shown in Section ^21 the verification of a data-based temporal logic formula 
on a linear ^Crl process can be reduced to the satisfaction of a first-order 
formula containing fixed point operators. We provide here proof rules associated 
to the minimal and maximal fixed point operators. These rules can be naturally 
used in conjunction with some proof system for first-order logic (e.g., Gentzen’s 
natural deduction system 0) in order to prove the validity of first-order fixed 
point formulas. 

We first define some auxiliary notations. Consider a fixed point formula 
aZ{z:D).ipi representing a predicate over D, and let '02 € BForm such that 
fbv(pp2) C fbvippi) and fdv{ip2) C fdv{tpi). The application of ijji on ip2 is defined 
as follows: 

•0i[V'2] ‘^=i0i['02[e/z]/y(e)] 

Intuitively, 0i [■02] is obtained by substituting all the occurrences of Z{e) in ■0i by 
■02, in which all occurrences of z have been replaced with the actual parameter e. 
The conditions on the variables of '02 ensure that no free variables of '02 become 
bound in 0i[02]- For simplicity, whenever fdv{'ip2) = {z}, we will write '02(e) for 
'02[e/zJ. We also assume that the domain N of natural numbers is predefined. 
For every fc G N, the application k times of 0i on '02, noted tpi[tp2], is defined 
as follows: 

i’lbp2] 02, 01 ■^^02] 0l[0^[02]] 

Using these notations, the proof rules for minimal and maximal fixed point 
operators are given below: 



\/k > O.(02(fc) 



0f[#D 



( 3 k > O.02(/c)) ^ (pZ(z:D).'tjj2)(z) 

Vfc > 0.(01 [tt] ^ tp2(k)) 

(v Z (z'.D) .'tl)i)(z) (Wk > O.02(A:)) 



LfpUp 



GfpDn 



01 [02] ^ 02 



(pZ(z:D).'ipi)(z) 02 

02 ^ 01 [02] 

02 ^ (i'Z{z:D).ipi)(z) 



LfpDn 



GfpUp 



where 02 (^) means that the variable k, denoting a natural number, occurs free 
in 02. Intuitively, the rules LfpUp, GfpUp and LfpDn, GfpDn allow to ap- 
proximate the extremal fixed points towards satisfaction and towards refutation, 
respectively. The following proposition states the soundness of these rules. 



Proposition 2. The rules LfpUp, LfpDn, GfpUp, and GfpDn defined above 
are sound w.r.t. the semantics of the first-order fixed point formulas 0 G BForm. 



Proof. Given in EDI. 
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4.5 Example (Continued) 

We show the use of the rules given above by proving the formulas given in 
Section lOl We consider the three formulas separately. We give the proof of these 
formulas in extreme detail, such that every reasoning step can be understood. 

dpf 

1. For the first case we let 'i/'i = (6A^ < u) + ^6)) V3m:N.(6Am < 

vAZ{v — m, ~^b)). In order to apply the rule LfpUp we must find some tp 2 {k). 

We propose V' 2 (fc) fc > if {I < u, |^6|,2(Z — u) — |^6|). Here, if{b,x,y) 
equals a; if 6 holds and y otherwise; |6| equals 1 if 6 holds and 0 otherwise. 
(Intuitively, k denotes the minimal number of steps necessary to reach a w(l) 
action, starting from any state of the system.) Note that the left hand side in 
the conclusion of LfpUp becomes 3k > 0.(fc > if {I < v, \^b\,2{l — v) — H6|)), 
which is a tautology. So, if we can prove the premises of LfpUp we have 
shown that the temporal formula (p\ is valid in all states of X(v, b). 

The premise of LfpUp has become Vfc > 0.{k > if {I < v, |^6|,2(/ — v) — 
|^6|) — > tpilff])- We prove this premise by induction on k. For k = 0 this 
holds vacuously, because the left hand side of the implication equals falsum. 
For fc = fc' + 1, we must prove: k' > if (I < v, \^b\,2{l — v) — |^6|) ^ {bAl < 
v) V (^6 A tfi [ff]{v + 1, ^b)) V 3m:N.(5 Am < v Ai/j^ ~ This 

is done by making a few case distinctions: 

— Suppose b holds and I < v. Clearly, the statement above is true, as the 
first disjunct of the right hand side trivially holds. 

— Now, suppose b holds and I > v. We want to show that the third 
disjunct holds. As b holds by assumption, it suffices to show that 
3m:N.(m < v Aifi \jf]{v — m,^b)). Take to = 0. The proof obligation 
reduces to tpi [ff]{v,^b). This is implied by the induction hypothesis, 
because {if 2 {k')){v,^b) = k' > 2{l — v) — 1, which is equivalent in this 
case to the left hand side k' > 2{l — v) of the implication. 

— We still must consider the case where ^b. We show that the second 
disjunct holds in this case. We must prove that i/'i [ff]{v + l, ~^b). The left 
hand side of the implication becomes k' > if {I < v,l, 2{l — u) — 1), which 
is easily seen (by distinguishing between the cases I < v, I = v + ^, and 
Z > u + 1) to imply {'ip 2 {k')){v + l, ~^b) = k' > if (I < u + 1, 0, 2(Z — ■(;) — 2). 
So, the proof obligation follows from the inductive hypothesis. 

This finishes the proof of the first temporal formula. 

2. We show that this formula does not hold in any state of X. Let 'ifi be the 

def 

body of the fxZ formula. We apply LfpDn, taking 4>2 = ff ■ The left hand 
side '0i[V'2] of the premise looks like {^b ff) A Vto:N.((6 Am < v Am ^ 
1) ^ ff), which is equivalent to ff. Thus, the fixed point formula is false for 
all u G N and b G Bool. 

3. We show that this formula is satisfied by the initial state of the system. 
Let tpi be the body of the i/Z formula. We must prove that {v = vq A b = 
ff) (pZ(p, r, u:N, 6:Boo1).'!/ii)( 0, 0, u, 6) for all u G N and b G Bool. We 
solve this by showing a slightly stronger property, namely that {v = vq + p — 
r) — > (^"Z(p, r, u:N, 5:Bool).'0i)(p, r, u, 5), which implies the above boolean 
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property by instantiating v, b, p, and r with vq, ff, 0, and 0, respectively. We 
apply GfpUp, taking ■02 {v = vo+p — r). The premise of GfpUp reduces 
to {v = vo+p—r) — i- (VZ, to:N.((5Ato < vAm = 1) ^ {I < vo+p — rAv — m = 
vo+p — r — 1)) A {^b ^u+l = uo+p+l — r)), which is easily seen to be a 
tautology. Hence, the initial state X{vo,ff) satisfies 

5 Application 

We present here a more involved verification example using the methodology 
described in Section ^ Consider the following linear process Q{q) describing a 
queue q: 

Qi<l) = ■ Qiin{d, q)) + s{toe{q)) ■ Q{untoe{q)) < |g| > 0 > <5 

Data elements d G D are inserted in Q via r{d) actions and are delivered by 
Q via s{d) actions. The |.| operator returns the number of elements in a queue. 
The in function inserts an element into a queue, the untoe function eliminates 
the element which was inserted first into a queue, and the toe function returns 
that element. We assume that the domain D has at least one element. The 
concatenation of two queues qi and q 2 is described by the linear process below: 

Q{qi,q 2 ) = T,d:D'^(d) ■ Q{in{d,qi),q 2 ) <\ tt 0(5 + 

T ■ Q{untoe{qi),in{toe{qi),q 2 )) <i |gi | > 0 t> i5 + 

s{toe{q 2 )) ■ Q{qi,untoe{q 2 )) < \q 2 .\ > 0 t> <5 

The initial state of this process is Q{nil, nil), where nil is a function returning 
an empty queue. In the following paragraphs we present the description and 
verification of several safety and liveness properties of the process Q. 

Property 1. The essential safety property of the system is that every sequence 
of elements inserted in Q will be delivered in the same order. This can be neatly 
expressed using a fixed point operator parameterized by a queue q storing all 
the elements that have been inserted in Q but not yet delivered: 

ritsf 

Pi = {vY{q)Xdo\D.[r{do)]Y{in{do,q)) A 

[s(do)] (|g| > 0 A toe{q) = do A Y{untoe{q))) A 
[^3di:D.{s{di)\/r{di))]Y{q) 

){nil) 

This formula captures exactly the desired behaviour of the system: the two 
concatenated queues must behave as a single queue. (Note the presence of the 
quantifier in the action formula of the last box modality, in order to express that 
an action is different from any s(. . .) or r(. . .) action.) We verify pi in the initial 
state Q{nil, nil) of the system. This translates as follows: 
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Vgi, g2-(<fi = nil A Q2 = nil) 

{uZ{qi,q2, q).\/do-.D.\/d:D.{do = d^ Z{in{d, qi), q2,in{do, q))) A 
{{\q2\ > 0 A do = toe(q2)) (|g| > 0 A do = toe{q) A 

Z{qi,untoe{q2),untoe{q)))) A 
{\qi \ > 0 ^ Z{untoe{qi),in{toe{qi),q2),q)) 

){qi,q2,nil) 

Let i/'i be the body of the vZ formula. To show the first-order fixed point for- 
mula above, we prove a slightly stronger property, namely that (gi -I- 92 = <z) — *■ 
{vZ{qi,q2,q).'ipi){qi,q2,q) for all q\, (72, and g, where gi -I- q2 denotes the con- 

def 

catenation of gi and 92- We use the rule GfpUp, taking ■02 = (gi + ?2 = g)- 
The premise 02 ^ 0i[02] of GfpUp reduces to the following three implications: 

1. Vdo, d:D.{qi + q2 = q A do = d) ^ {in{d, qi) + q2 = in{do, g)); 

2. Vdo:T>.(gi -|- g2 = g A |g2| > 0 A do = toe{q2)) (|g| > 0 A do = toe(g) A gi -I- 

untoe{q2) = untoe{q)); 

3. Vdo:D.(gi -I- g2 = g A |gi| > 0) ^ {untoe{qi) + in{toe{qi) , q2) = g). 

These properties can be easily shown using an appropriate axiomatization of 
the queue operators. Now, by instantiating g to nil, and since (gi = nil A 

g2 = nil) (gi + g2 = nil), this implies that (gi = nil A g2 = nil) 

{vZ{qi,q2,q).'ipi){qi,q2,nil) for all gi and q2- Hence, Q{nil,nil) satisfies Lpi. 

Property 2 . A simple liveness property (which also implies deadlock freedom) is 
that every datum do € D can be potentially inserted in Q by an action r(do): 



(f2 = tiY. (r(do)) tt V (tt) Y 

The verification of (p2 in all the states of Q translates as follows: 

Vgi,g2.(/rZ(gi,g2).3d:L>.(d = do) V 3 d:D.Z(in(d, gi),g2) V 

(|gi| > 0 A Z(untoe(qi),in(toe(qi),q2))) V 
(|g2| > 0 A Z{qi,untoe{q2))) 

)(dl,d2) 

We write 0i for the body of the fiZ formula. Since the disjunct 3d:D.{d = do) is 
trivially true, 0i reduces to tt and, by applying the rule LfpUp with 02 (fc) = tt, 
it follows that (/iZ(gi, g2).0i)(gi, g2) is valid for all values of gi and q2- Hence, 
ip2 holds in all states of Q. 

Property 3. A more involved liveness property is that every datum do which is 
inserted in Q by an action r(do) will be eventually delivered by an action s(do): 



= [r{do)]fiY.{tt)ttA[^s{do)]Y 
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The verification of (pz in all the states of Q translates as follows: 

V(7i, q2.yd:D.d = do —>■ 

{pZ{qi,q2).yd:D.Z{in{d, qi),q2) A 

(|gi| > 0 ^ Z{untoe{qi),in{toe{qi),q2))) A 
{{\q2\ > 0 A toe{q2) ^ do) Z{qi,untoe{q2))) 

){in{d, qi),q2) 

Let tpi be the body of the pZ formula. Observing that ipiiff] = ff^ the rule 
LfpDn leads to {pZ{qi,q2).i^i){qi,q2) ff for every qx and q2- Then, the 
whole first-order fixed point formula reduces to Wd'.D.d ^ do, which is obviously 
false. Hence, cpo does not hold in any state of Q. This happens because one can 
always insert data elements into Q (see formula ip2 above) and, under an unfair 
scheduling of actions (but see next paragraph), the process may never deliver an 
element, letting qi and q2 grow unboundedly. 

Property 4- We may express the formula po by taking into account only the 
execution paths that are fair w.r.t. the action s{do), i.e., those paths which 
cannot infinitely often enable s(do) without infinitely often executing it: 

P 4 [’’(do)] vYi. hs(do)] Yi A fj.Y2. (s(do)) tt V (tt) Y2 

The formula p4 specifies that after do has been inserted in Q, as long as it has 
not yet been delivered, it is still possible to deliver it. This is an action-based 
instance of the fairness operator proposed in UHl, where it was shown that it 
expresses the reachability on fair paths. 

The verification of p4 in all the states of Q translates as follows: 

Vgi, 52 • {vZi{qi,q2).yd:D.Zi{in{d, qi), 52) A 

(|gi| > 0 ^ Zi{untoe{qi),in{toe{qi),q2))) A 
((I52I > 0 A toe{q2) yf do) ^ ^1(51, itntoe( 52 ))) A 
(^^2(5i,52)-(|52| > 0 A toe(52) = do) V 3d:D.Z2{in{d,qi),q2) V 
(| 5 i| > 0 A Z 2 (Mntoe( 5 i),m(toe(gi), 52 ))) V 
(I52I > 0 A Z2{qi,untoe{q2))) 

)(9i,92) 

)(m(do,5i),52) 

Let be the body of the vZi formula. We show the first-order fixed point 
formula above by proving a slightly stronger property, namely that do G 51 -I- 52 ^ 
{uZi(qi,q2).tpi){qi,q2) for all 51 and 52, where G denotes the membership of an 
element in a queue. (Having shown this, the validity of the first-order fixed point 
formula above follows by instantiating qi with in(do, qi), since do S in{do, 5i)+52 

def 

is trivially true.) We apply the rule GfpUp on il)i, taking ?/>( = do G qi + 52- 
The premise '0i[V'i] reduces to the following four implications: 
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1 . {do e qi+ 92) ^ (yd-.D.do G in{d, qi) + 92); 

2 . {do G gi +92 A |9i| > 0 ) ^ (do G untoe{qi) + in{toe{qi), q2)); 

3 . {do G 9i + 92 A I92I > 0 A toe{q2) ^ do) {do G 91 + untoe{q2)); 

4 . {do G 9i + 92) ^ {fiZ2{qi,q2)-i’2){qi,q2) 

where 'ip2 is the body of the 11Z2 subformula. The first three properties follow 
easily from an axiomatization of the queue type. We show the last property using 

def 

the rule LfpUp, by taking ip2{k) = do G 91 + 92 A 2|9i| + I92I < fc (intuitively, 
k denotes the minimal number of steps in which an element do already present 
in Q can be delivered). Note that the left hand side in the conclusion of LfpUp 
becomes 3k > 0 .(do G 91 + 92 A 2|9i| + I92I < k), which is trivially equivalent to 
do G 9 i + 92. 

We show the premise Vfc > O.('02(fc) ^ V’2 [if]) of LfpUp by induction on k. 
For k = 0 this holds vacuously, because tp2{0) is false. For k = k' + 1, we must 
prove that (do G 91 + 92 A 2|9i| + I92I < k' + 1) ^ ^2 We distinguish two 

cases: 

~ I91I > 0 . We show that the left hand side of the implication above implies 
the disjunct |9i| > 0 A iff]{untoe{qi) , in{toe{qi) , q2)) of Tfi® 

first conjunct is true by assumption. The second conjunct is implied by 
the inductive hypothesis, because: (a) do G 91 + 92 ^ do G untoe{qi) + 
m(toe( 9 i), 92), and (b) 2 |Mntoe( 9 i)| + |zn(toe( 9 i), 92)! = 2 | 9 i| + I92I — 1 < k' . 

— I91I = 0 . This implies that I92I > 0 , because do G 91 + 92 by hypothesis. If 
toe{q2) = do, then the disjunct I92I > 0 A toe{q2) = do of '02 is true. If 

toe{q2) yf do, the disjunct [92 1 > OA02 [ff]{qijUntoe{q2)) of 02 follows 

from the inductive hypothesis, because: (a) do G 91 + untoe{q2), and (b) 

2 | 9 i| + |Mntoe( 92 )| = 2 | 9 i| + I92I - l<k'. 

This concludes the proof that all the states of Q satisfy (p4. 
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